Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: OWASP Top Ten - dev process

RE: OWASP Top Ten - dev process

From: Evans, Arian <Arian.Evans_at_fishnetsecurity.com>
Date: Wed, 13 Jul 2005 13:12:19 -0500

Per previous email I don't mean to ditch the value
of a Top 10 Issues but like the conversation that
was ramping up before OWASP London add other T10
or T2 or etc docs.

I think we all agree that the T10 is great for visibility;
the question is what it is being used for today.

Today it has become a training guide, an assessment
guide, and a certification checklist for products
and for people's software, which I think is beyond
the scope of the T10.

This is exactly what has happened with the SANS T20.

</$0.02>

-ae

> -----Original Message-----
> From: Michael Silk [mailto:michaelslists_at_gmail.com]
> Sent: Tuesday, July 12, 2005 8:40 PM
> To: Evans, Arian
> Cc: Mark Curphey; webappsec_at_securityfocus.com
> Subject: Re: OWASP Top Ten - dev process
>
> On 7/13/05, Evans, Arian <Arian.Evans_at_fishnetsecurity.com> wrote:
> > [ ...]
> >
> > A Top-10 retooling that reflects and communicates
> > this fact would help the FUD and benefit everyone.
> > Less emphasis on XSS and more on how to build reusable
> > unit tests/build software. Security tests for unit
> > testing are cheap, right, I/O tests only need to be
> > built once to work across a wide variety of application
> > conditions based upon data type of course.
>
> But isn't the the _whole point_ of a "Top Ten" is that it quickly and
> easily lists the 'visible' problems [i.e not the cause]?
>
> I mean, you could make it a Top 2 otherwise:
> 1) Bad Programming
> 2) Bad Design
>
> ...
>
> It covers everything; easy to interpret and hence fail or
> pass as you like.
>
> imho an OWASP "Top Ten" shouldn't really cover _my_ development
> procedures; only the problems exposed by them.
>
> Anyway, maybe i've missed the email where this was being discussed;
> heading over to the owasp archive now :)
>
> -- Michael
>
>
> > Not so with business-logic specific tests, e.g.-"Rob's Report".
> >
> > -ae
> >
> > > -----Original Message-----
> > > From: Mark Curphey [mailto:mark_at_curphey.com]
> > > Sent: Monday, July 11, 2005 7:11 AM
> > > To: 'Jeff Robertson'; webappsec_at_securityfocus.com
> > > Subject: RE: OWASP Top Ten - My Case For Updating It
> > >
> > > Hallelujah brother !
> > >
> > > -----Original Message-----
> > > From: Jeff Robertson [mailto:Jeff.Robertson_at_DigitalInsight.com]
> > > Sent: Monday, July 11, 2005 7:58 AM
> > > To: 'Mark Curphey'; webappsec_at_securityfocus.com
> > > Cc: 'Jeff Williams'
> > > Subject: RE: OWASP Top Ten - My Case For Updating It
> > >
> > > > -----Original Message-----
> > > > From: Mark Curphey [mailto:mark_at_curphey.com]
> > > >
> > > >
> > > > If the problem of web application security is poor software
> > > quality,
> > > > it is a natural conclusion that the solution is to build better
> > > > software. Not once in the top ten does the list address the
> > > fact that
> > > > the majority of software is built without a design, security
> > > > requirements or a repeatable software security
> development process.
> > >
> > > I would go so far as to say that unless a development
> shop is already
> > > following a process (I don't want to start waterfall vs. RUP
> > > vs. XP wars
> > > here) to keep plain old functionality bugs down to a minimum,
> > > they have no
> > > hope of producing secure software.
> > >
> > > If a software company haven't even figured out that their
> > > developers need to
> > > be doing unit tests, then the idea that they could
> > > successfully implement
> > > any sort of security testing is just putting the cart before
> > > the horse.
> > >
> > >
> > >
> >
> >
> > The information transmitted in this e-mail is intended only
> for the addressee and may contain confidential and/or
> privileged material.
> > Any interception, review, retransmission, dissemination, or
> other use of, or taking of any action upon this information
> by persons or entities
> > other than the intended recipient is prohibited by law and
> may subject them to criminal or civil liability. If you
> received this communication
> > in error, please contact us immediately at 816.421.6611,
> and delete the communication from any computer or network system.
> >
> >
> >
>
>
Received on Jul 13 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]