WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OWASP Top Ten - The certification and blame problem

From: Matteo Meucci <matteo.meucci () gmail com>
Date: Wed, 13 Jul 2005 15:50:30 +0200
Hi all,
I think the OWASP Top10 is only a document illustrating the top 10
WebApp Vulnerabilities and a set of countermeasures you can adopt.
It's just a "starter doc":
you can follow the OWASP Top10 countermeasures, but this does not mean
that you have developed "secure" web application.

In other words OWASP Top10 cannot be a standard since it does not
cover the "secure" web app developing process as a whole.
In my opinion only If we can develop a complete OWASP methology and
best practices for "secure" webapp development (based on OWASP Guide,
Checklist...) we can drive the road of standardization.

Mat
 


On 7/13/05, Eoin Keary <eoinkeary () gmail com> wrote:

Hi,
Just being the Devils advocate,
Is the Top 10 just a guide or a policy?
If it is a guideline its to be used as a Guide, not a certification or policy?

How can OWASP certify companies (Like ISO) and ensure they follow App
Sec best practice?
OWASP has no way to tell if a company that claims to be OWASP Top 10
certified is actually adhering to OWASP best practice.

ISO 17799 performs regular compliance checks (and a nice regular
revenue stream). There are certified ISO 17799 Auditors. OWASP Top 10
does not have any of this so saying Top 10 Certified is BS ??

So a enterprise that was attacked with success claiming that they were
"Top 10 certified" is bull as we dont certify, do we? The best one can
say is that they are compliant and at that there is not way of
prooving this?

What u all think?

Eoin





On 12/07/05, Evans, Arian <Arian.Evans () fishnetsecurity com> wrote:

I can say first hand that Mark is right on the Mark
about blame, but worse, how many OWASP "Top 10 Certified"
people will "throw out the baby with the bathwater" once
compromised?

I have numerous clients that want "Certified by my employer"
on the OWASP Top 10. Guess what happens when they are broken.

Blame is very important in a modern society. The American
legal system is living proof.

First they'll blame us. Then we'll show how we covered
all the Top 10. Then they'll blame OWASP.

(keep in mind this is a silly illustrative example and not
reflective of the way my organization tests software or
deals with clients)

-ae


-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com]
Sent: Sunday, July 10, 2005 1:25 AM
To: Mark Curphey
Cc: webappsec () securityfocus com; Jeff Williams
Subject: Re: OWASP Top Ten - My Case For Updating It

On 7/9/05, Mark Curphey <mark () curphey com> wrote:

I think the OWASP Top Ten needs a serious re-think.

i agree!!! :)


novice companies will use the Top Ten as a testing yard

stick. The PCI

adoption is a dangerous issue that demonstrates this point.

When MasterCard

were hacked the first thing the company did was to say they

passed the PCI

tests. This will be the case with the OWASP Top Ten.


i disagree on this point. I don't think this will ever be the case.
PCI is a standard that Merchants and Service Providers are "required"
to follow. This is not the case of the OWASP Top Ten. OWASP does not
require any website to implement the Top 10, neither can it.  Thus
OWASP Top 10 can not be used as a scapegoat.

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/





The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material.
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this 
information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.
Previous By Date Next
Previous By Thread Next

Current thread: