Hi all,
I think the OWASP Top10 is only a document illustrating the top 10
WebApp Vulnerabilities and a set of countermeasures you can adopt.
It's just a "starter doc":
you can follow the OWASP Top10 countermeasures, but this does not mean
that you have developed "secure" web application.
In other words OWASP Top10 cannot be a standard since it does not
cover the "secure" web app developing process as a whole.
In my opinion only If we can develop a complete OWASP methology and
best practices for "secure" webapp development (based on OWASP Guide,
Checklist...) we can drive the road of standardization.
Mat
On 7/13/05, Eoin Keary <eoinkeary_at_gmail.com> wrote:
> Hi,
> Just being the Devils advocate,
> Is the Top 10 just a guide or a policy?
> If it is a guideline its to be used as a Guide, not a certification or policy?
>
> How can OWASP certify companies (Like ISO) and ensure they follow App
> Sec best practice?
> OWASP has no way to tell if a company that claims to be OWASP Top 10
> certified is actually adhering to OWASP best practice.
>
> ISO 17799 performs regular compliance checks (and a nice regular
> revenue stream). There are certified ISO 17799 Auditors. OWASP Top 10
> does not have any of this so saying Top 10 Certified is BS ??
>
> So a enterprise that was attacked with success claiming that they were
> "Top 10 certified" is bull as we dont certify, do we? The best one can
> say is that they are compliant and at that there is not way of
> prooving this?
>
> What u all think?
>
> Eoin
>
>
>
>
>
> On 12/07/05, Evans, Arian <Arian.Evans_at_fishnetsecurity.com> wrote:
> > I can say first hand that Mark is right on the Mark
> > about blame, but worse, how many OWASP "Top 10 Certified"
> > people will "throw out the baby with the bathwater" once
> > compromised?
> >
> > I have numerous clients that want "Certified by my employer"
> > on the OWASP Top 10. Guess what happens when they are broken.
> >
> > Blame is very important in a modern society. The American
> > legal system is living proof.
> >
> > First they'll blame us. Then we'll show how we covered
> > all the Top 10. Then they'll blame OWASP.
> >
> > (keep in mind this is a silly illustrative example and not
> > reflective of the way my organization tests software or
> > deals with clients)
> >
> > -ae
> >
> > > -----Original Message-----
> > > From: Saqib Ali [mailto:docbook.xml_at_gmail.com]
> > > Sent: Sunday, July 10, 2005 1:25 AM
> > > To: Mark Curphey
> > > Cc: webappsec_at_securityfocus.com; Jeff Williams
> > > Subject: Re: OWASP Top Ten - My Case For Updating It
> > >
> > > On 7/9/05, Mark Curphey <mark_at_curphey.com> wrote:
> > > > I think the OWASP Top Ten needs a serious re-think.
> > > i agree!!! :)
> > >
> > > > novice companies will use the Top Ten as a testing yard
> > > stick. The PCI
> > > > adoption is a dangerous issue that demonstrates this point.
> > > When MasterCard
> > > > were hacked the first thing the company did was to say they
> > > passed the PCI
> > > > tests. This will be the case with the OWASP Top Ten.
> > >
> > > i disagree on this point. I don't think this will ever be the case.
> > > PCI is a standard that Merchants and Service Providers are "required"
> > > to follow. This is not the case of the OWASP Top Ten. OWASP does not
> > > require any website to implement the Top 10, neither can it. Thus
> > > OWASP Top 10 can not be used as a scapegoat.
> > >
> > > --
> > > In Peace,
> > > Saqib Ali
> > > http://www.xml-dev.com/blog/
> > >
> > >
> >
> >
> > The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material.
> > Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
> > other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication
> > in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
> >
> >
> >
>
Received on Jul 13 2005
Intro
