WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: OWASP Top Ten - My Case For Updating It

From: "Mark Curphey" <mark () curphey com>
Date: Sun, 10 Jul 2005 09:36:28 -0400
With respect I disagree about your disagreement ;-)

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-
29,GGLD:en&q=owasp+and+pci

First link (view HTML for easier browsing) and look for Section 6.5.

It may be implied but without any credible alternatives, implication is
really a requirement. 

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Sunday, July 10, 2005 2:25 AM
To: Mark Curphey
Cc: webappsec () securityfocus com; Jeff Williams
Subject: Re: OWASP Top Ten - My Case For Updating It

On 7/9/05, Mark Curphey <mark () curphey com> wrote:

I think the OWASP Top Ten needs a serious re-think. 

i agree!!! :)


novice companies will use the Top Ten as a testing yard stick. The PCI 
adoption is a dangerous issue that demonstrates this point. When 
MasterCard were hacked the first thing the company did was to say they 
passed the PCI tests. This will be the case with the OWASP Top Ten.


i disagree on this point. I don't think this will ever be the case.
PCI is a standard that Merchants and Service Providers are "required"
to follow. This is not the case of the OWASP Top Ten. OWASP does not require
any website to implement the Top 10, neither can it.  Thus OWASP Top 10 can
not be used as a scapegoat.

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Previous By Date Next
Previous By Thread Next

Current thread: