WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: OWASP Top Ten - My Case For Updating It

From: "Mark Curphey" <mark () curphey com>
Date: Mon, 11 Jul 2005 08:11:08 -0400
Hallelujah brother ! 

-----Original Message-----
From: Jeff Robertson [mailto:Jeff.Robertson () DigitalInsight com] 
Sent: Monday, July 11, 2005 7:58 AM
To: 'Mark Curphey'; webappsec () securityfocus com
Cc: 'Jeff Williams'
Subject: RE: OWASP Top Ten - My Case For Updating It


-----Original Message-----
From: Mark Curphey [mailto:mark () curphey com]


If the problem of web application security is poor software quality, 
it is a natural conclusion that the solution is to build better 
software. Not once in the top ten does the list address the fact that 
the majority of software is built without a design, security 
requirements or a repeatable software security development process.


I would go so far as to say that unless a development shop is already
following a process (I don't want to start waterfall vs. RUP vs. XP wars
here) to keep plain old functionality bugs down to a minimum, they have no
hope of producing secure software. 

If a software company haven't even figured out that their developers need to
be doing unit tests, then the idea that they could successfully implement
any sort of security testing is just putting the cart before the horse.
Previous By Date Next
Previous By Thread Next

Current thread: