Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: OWASP Top Ten - The certification and blame problem

Re: OWASP Top Ten - The certification and blame problem

From: Eoin Keary <eoinkeary_at_gmail.com>
Date: Wed, 13 Jul 2005 11:04:38 +0000

Hi,
Just being the Devils advocate,
Is the Top 10 just a guide or a policy?
If it is a guideline its to be used as a Guide, not a certification or policy?

How can OWASP certify companies (Like ISO) and ensure they follow App
Sec best practice?
OWASP has no way to tell if a company that claims to be OWASP Top 10
certified is actually adhering to OWASP best practice.

ISO 17799 performs regular compliance checks (and a nice regular
revenue stream). There are certified ISO 17799 Auditors. OWASP Top 10
does not have any of this so saying Top 10 Certified is BS ??

So a enterprise that was attacked with success claiming that they were
"Top 10 certified" is bull as we dont certify, do we? The best one can
say is that they are compliant and at that there is not way of
prooving this?

What u all think?

Eoin

On 12/07/05, Evans, Arian <Arian.Evans_at_fishnetsecurity.com> wrote:
> I can say first hand that Mark is right on the Mark
> about blame, but worse, how many OWASP "Top 10 Certified"
> people will "throw out the baby with the bathwater" once
> compromised?
>
> I have numerous clients that want "Certified by my employer"
> on the OWASP Top 10. Guess what happens when they are broken.
>
> Blame is very important in a modern society. The American
> legal system is living proof.
>
> First they'll blame us. Then we'll show how we covered
> all the Top 10. Then they'll blame OWASP.
>
> (keep in mind this is a silly illustrative example and not
> reflective of the way my organization tests software or
> deals with clients)
>
> -ae
>
> > -----Original Message-----
> > From: Saqib Ali [mailto:docbook.xml_at_gmail.com]
> > Sent: Sunday, July 10, 2005 1:25 AM
> > To: Mark Curphey
> > Cc: webappsec_at_securityfocus.com; Jeff Williams
> > Subject: Re: OWASP Top Ten - My Case For Updating It
> >
> > On 7/9/05, Mark Curphey <mark_at_curphey.com> wrote:
> > > I think the OWASP Top Ten needs a serious re-think.
> > i agree!!! :)
> >
> > > novice companies will use the Top Ten as a testing yard
> > stick. The PCI
> > > adoption is a dangerous issue that demonstrates this point.
> > When MasterCard
> > > were hacked the first thing the company did was to say they
> > passed the PCI
> > > tests. This will be the case with the OWASP Top Ten.
> >
> > i disagree on this point. I don't think this will ever be the case.
> > PCI is a standard that Merchants and Service Providers are "required"
> > to follow. This is not the case of the OWASP Top Ten. OWASP does not
> > require any website to implement the Top 10, neither can it. Thus
> > OWASP Top 10 can not be used as a scapegoat.
> >
> > --
> > In Peace,
> > Saqib Ali
> > http://www.xml-dev.com/blog/
> >
> >
>
>
> The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material.
> Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
> other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication
> in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
>
>
>
Received on Jul 13 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]