WebApp Sec mailing list archives
RE: OWASP Top Ten - The certification and blame problem
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Tue, 12 Jul 2005 17:28:45 -0500
I can say first hand that Mark is right on the Mark about blame, but worse, how many OWASP "Top 10 Certified" people will "throw out the baby with the bathwater" once compromised? I have numerous clients that want "Certified by my employer" on the OWASP Top 10. Guess what happens when they are broken. Blame is very important in a modern society. The American legal system is living proof. First they'll blame us. Then we'll show how we covered all the Top 10. Then they'll blame OWASP. (keep in mind this is a silly illustrative example and not reflective of the way my organization tests software or deals with clients) -ae
-----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Sunday, July 10, 2005 1:25 AM To: Mark Curphey Cc: webappsec () securityfocus com; Jeff Williams Subject: Re: OWASP Top Ten - My Case For Updating It On 7/9/05, Mark Curphey <mark () curphey com> wrote:I think the OWASP Top Ten needs a serious re-think.i agree!!! :)novice companies will use the Top Ten as a testing yardstick. The PCIadoption is a dangerous issue that demonstrates this point.When MasterCardwere hacked the first thing the company did was to say theypassed the PCItests. This will be the case with the OWASP Top Ten.i disagree on this point. I don't think this will ever be the case. PCI is a standard that Merchants and Service Providers are "required" to follow. This is not the case of the OWASP Top Ten. OWASP does not require any website to implement the Top 10, neither can it. Thus OWASP Top 10 can not be used as a scapegoat. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/
The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- RE: OWASP Top Ten - The certification and blame problem Evans, Arian (Jul 12)
- Re: OWASP Top Ten - The certification and blame problem Eoin Keary (Jul 13)
- Re: OWASP Top Ten - The certification and blame problem Jeff Williams (Jul 13)
- Re: OWASP Top Ten - The certification and blame problem Matteo Meucci (Jul 13)
- <Possible follow-ups>
- RE: OWASP Top Ten - The certification and blame problem Steven M. Christey (Jul 13)
- Re: OWASP Top Ten - The certification and blame problem Eoin Keary (Jul 13)