Re: OWASP Top Ten - dev process

[Michael Silk <michaelslists () gmail com>]

On 7/13/05, Evans, Arian <Arian.Evans () fishnetsecurity com> wrote:
> [ ...]
>
> A Top-10 retooling that reflects and communicates
> this fact would help the FUD and benefit everyone.
> Less emphasis on XSS and more on how to build reusable
> unit tests/build software. Security tests for unit
> testing are cheap, right, I/O tests only need to be
> built once to work across a wide variety of application
> conditions based upon data type of course.

But isn't the the _whole point_ of a "Top Ten" is that it quickly and
easily lists the 'visible' problems [i.e not the cause]?

I mean, you could make it a Top 2 otherwise:
1) Bad Programming
2) Bad Design

...

It covers everything; easy to interpret and hence fail or pass as you like.

imho an OWASP "Top Ten" shouldn't really cover _my_ development
procedures; only the problems exposed by them.

Anyway, maybe i've missed the email where this was being discussed;
heading over to the owasp archive now :)

-- Michael


> Not so with business-logic specific tests, e.g.-"Rob's Report".
>
> -ae
>
> > -----Original Message-----
> > From: Mark Curphey [mailto:mark () curphey com]
> > Sent: Monday, July 11, 2005 7:11 AM
> > To: 'Jeff Robertson'; webappsec () securityfocus com
> > Subject: RE: OWASP Top Ten - My Case For Updating It
> >
> > Hallelujah brother !
> >
> > -----Original Message-----
> > From: Jeff Robertson [mailto:Jeff.Robertson () DigitalInsight com]
> > Sent: Monday, July 11, 2005 7:58 AM
> > To: 'Mark Curphey'; webappsec () securityfocus com
> > Cc: 'Jeff Williams'
> > Subject: RE: OWASP Top Ten - My Case For Updating It
> >
> > > -----Original Message-----
> > > From: Mark Curphey [mailto:mark () curphey com]
> > >
> > >
> > > If the problem of web application security is poor software
> > quality,
> > > it is a natural conclusion that the solution is to build better
> > > software. Not once in the top ten does the list address the
> > fact that
> > > the majority of software is built without a design, security
> > > requirements or a repeatable software security development process.
> >
> > I would go so far as to say that unless a development shop is already
> > following a process (I don't want to start waterfall vs. RUP
> > vs. XP wars
> > here) to keep plain old functionality bugs down to a minimum,
> > they have no
> > hope of producing secure software.
> >
> > If a software company haven't even figured out that their
> > developers need to
> > be doing unit tests, then the idea that they could
> > successfully implement
> > any sort of security testing is just putting the cart before
> > the horse.
>
>
> The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
> privileged material.
> Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this 
> information by persons or entities
> other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
> received this communication
> in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
> system.