WebApp Sec mailing list archives
Re: OWASP Top Ten - dev process
From: Michael Silk <michaelslists () gmail com>
Date: Wed, 13 Jul 2005 11:40:08 +1000
On 7/13/05, Evans, Arian <Arian.Evans () fishnetsecurity com> wrote:
[ ...] A Top-10 retooling that reflects and communicates this fact would help the FUD and benefit everyone. Less emphasis on XSS and more on how to build reusable unit tests/build software. Security tests for unit testing are cheap, right, I/O tests only need to be built once to work across a wide variety of application conditions based upon data type of course.
But isn't the the _whole point_ of a "Top Ten" is that it quickly and easily lists the 'visible' problems [i.e not the cause]? I mean, you could make it a Top 2 otherwise: 1) Bad Programming 2) Bad Design ... It covers everything; easy to interpret and hence fail or pass as you like. imho an OWASP "Top Ten" shouldn't really cover _my_ development procedures; only the problems exposed by them. Anyway, maybe i've missed the email where this was being discussed; heading over to the owasp archive now :) -- Michael
Not so with business-logic specific tests, e.g.-"Rob's Report". -ae-----Original Message----- From: Mark Curphey [mailto:mark () curphey com] Sent: Monday, July 11, 2005 7:11 AM To: 'Jeff Robertson'; webappsec () securityfocus com Subject: RE: OWASP Top Ten - My Case For Updating It Hallelujah brother ! -----Original Message----- From: Jeff Robertson [mailto:Jeff.Robertson () DigitalInsight com] Sent: Monday, July 11, 2005 7:58 AM To: 'Mark Curphey'; webappsec () securityfocus com Cc: 'Jeff Williams' Subject: RE: OWASP Top Ten - My Case For Updating It-----Original Message----- From: Mark Curphey [mailto:mark () curphey com] If the problem of web application security is poor softwarequality,it is a natural conclusion that the solution is to build better software. Not once in the top ten does the list address thefact thatthe majority of software is built without a design, security requirements or a repeatable software security development process.I would go so far as to say that unless a development shop is already following a process (I don't want to start waterfall vs. RUP vs. XP wars here) to keep plain old functionality bugs down to a minimum, they have no hope of producing secure software. If a software company haven't even figured out that their developers need to be doing unit tests, then the idea that they could successfully implement any sort of security testing is just putting the cart before the horse.The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 12)
- Re: OWASP Top Ten - dev process Michael Silk (Jul 13)
- Re: OWASP Top Ten - dev process Devdas Bhagat (Jul 13)
- Re: OWASP Top Ten - dev process Andrew van der Stock (Jul 13)
- Re: OWASP Top Ten - dev process Devdas Bhagat (Jul 13)
- <Possible follow-ups>
- RE: OWASP Top Ten - dev process Jeff Robertson (Jul 13)
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 13)
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 13)
- Re: OWASP Top Ten - dev process Michael Silk (Jul 13)