Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: OWASP Top Ten - dev process

Re: OWASP Top Ten - dev process

From: Michael Silk <michaelslists_at_gmail.com>
Date: Wed, 13 Jul 2005 11:40:08 +1000

On 7/13/05, Evans, Arian <Arian.Evans_at_fishnetsecurity.com> wrote:
> [ ...]
>
> A Top-10 retooling that reflects and communicates
> this fact would help the FUD and benefit everyone.
> Less emphasis on XSS and more on how to build reusable
> unit tests/build software. Security tests for unit
> testing are cheap, right, I/O tests only need to be
> built once to work across a wide variety of application
> conditions based upon data type of course.

But isn't the the _whole point_ of a "Top Ten" is that it quickly and
easily lists the 'visible' problems [i.e not the cause]?

I mean, you could make it a Top 2 otherwise:
1) Bad Programming
2) Bad Design

...

It covers everything; easy to interpret and hence fail or pass as you like.

imho an OWASP "Top Ten" shouldn't really cover _my_ development
procedures; only the problems exposed by them.

Anyway, maybe i've missed the email where this was being discussed;
heading over to the owasp archive now :)

-- Michael

> Not so with business-logic specific tests, e.g.-"Rob's Report".
>
> -ae
>
> > -----Original Message-----
> > From: Mark Curphey [mailto:mark_at_curphey.com]
> > Sent: Monday, July 11, 2005 7:11 AM
> > To: 'Jeff Robertson'; webappsec_at_securityfocus.com
> > Subject: RE: OWASP Top Ten - My Case For Updating It
> >
> > Hallelujah brother !
> >
> > -----Original Message-----
> > From: Jeff Robertson [mailto:Jeff.Robertson_at_DigitalInsight.com]
> > Sent: Monday, July 11, 2005 7:58 AM
> > To: 'Mark Curphey'; webappsec_at_securityfocus.com
> > Cc: 'Jeff Williams'
> > Subject: RE: OWASP Top Ten - My Case For Updating It
> >
> > > -----Original Message-----
> > > From: Mark Curphey [mailto:mark_at_curphey.com]
> > >
> > >
> > > If the problem of web application security is poor software
> > quality,
> > > it is a natural conclusion that the solution is to build better
> > > software. Not once in the top ten does the list address the
> > fact that
> > > the majority of software is built without a design, security
> > > requirements or a repeatable software security development process.
> >
> > I would go so far as to say that unless a development shop is already
> > following a process (I don't want to start waterfall vs. RUP
> > vs. XP wars
> > here) to keep plain old functionality bugs down to a minimum,
> > they have no
> > hope of producing secure software.
> >
> > If a software company haven't even figured out that their
> > developers need to
> > be doing unit tests, then the idea that they could
> > successfully implement
> > any sort of security testing is just putting the cart before
> > the horse.
> >
> >
> >
>
>
> The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material.
> Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
> other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication
> in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
>
>
>
Received on Jul 13 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]