WebApp Sec mailing list archives
Re: OWASP Top Ten - My Case For Updating It
From: Pete Herzog <lists () isecom org>
Date: Sun, 10 Jul 2005 11:39:39 +0200
novice companies will use the Top Ten as a testing yard stick. The PCI adoption is a dangerous issue that demonstrates this point. When MasterCard were hacked the first thing the company did was to say they passed the PCI tests. This will be the case with the OWASP Top Ten.i disagree on this point. I don't think this will ever be the case. PCI is a standard that Merchants and Service Providers are "required" to follow. This is not the case of the OWASP Top Ten. OWASP does not require any website to implement the Top 10, neither can it. Thus OWASP Top 10 can not be used as a scapegoat.
I think you're missing the point of what a scapegoat is. It's about throwing accountability out the window. The point is that it is often not just, not correct, and preys on emotional rational rather than intellectual. If the advantage for Mastercard is to feign innocence at having done everything it was supposed to especially having complied to an accepted "standard" and that can be carried to the media with the proper emotional rational, then those who don't think things through (many) will assume that applying the OWASP top 10 is garbage because it doesn't protect anything. Actually, it doesn't protect anything on its own but that doesn't mean its garbage. It just means it's being misused. It's a device to bring attention to the failures in web app sec. It's not a panacea. Problem is, the general public wants a pill which cures (even just functional cures are acceptable). That's why so much marketing is about product X being the answer to your security needs and why product X sells 5 billion copies. Because it's what people want and buy. If product X doesn't work, then that's not Company X's fault as their product really does fix all problems stated in the OWASP top 10. Accountability exits window. I think the change proposed by Mark is a very necessary thing or else the abuse will only grow bigger, like it has already for SANS top 20. -pete.
Current thread:
- OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Ralf Durkee (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Andrew van der Stock (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Pete Herzog (Jul 10)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It James E. Powell (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It Frank O'Dwyer (Jul 13)
- <Possible follow-ups>
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Jeff Robertson (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It Dean H. Saxe (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 11)
- Re: Re: OWASP Top Ten - My Case For Updating It rajeshkumardilli (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It maburns (Jul 12)
(Thread continues...)