WebApp Sec mailing list archives
Re: OWASP Top Ten - The certification and blame problem
From: Matteo Meucci <matteo.meucci () gmail com>
Date: Wed, 13 Jul 2005 15:50:30 +0200
Hi all, I think the OWASP Top10 is only a document illustrating the top 10 WebApp Vulnerabilities and a set of countermeasures you can adopt. It's just a "starter doc": you can follow the OWASP Top10 countermeasures, but this does not mean that you have developed "secure" web application. In other words OWASP Top10 cannot be a standard since it does not cover the "secure" web app developing process as a whole. In my opinion only If we can develop a complete OWASP methology and best practices for "secure" webapp development (based on OWASP Guide, Checklist...) we can drive the road of standardization. Mat On 7/13/05, Eoin Keary <eoinkeary () gmail com> wrote:
Hi, Just being the Devils advocate, Is the Top 10 just a guide or a policy? If it is a guideline its to be used as a Guide, not a certification or policy? How can OWASP certify companies (Like ISO) and ensure they follow App Sec best practice? OWASP has no way to tell if a company that claims to be OWASP Top 10 certified is actually adhering to OWASP best practice. ISO 17799 performs regular compliance checks (and a nice regular revenue stream). There are certified ISO 17799 Auditors. OWASP Top 10 does not have any of this so saying Top 10 Certified is BS ?? So a enterprise that was attacked with success claiming that they were "Top 10 certified" is bull as we dont certify, do we? The best one can say is that they are compliant and at that there is not way of prooving this? What u all think? Eoin On 12/07/05, Evans, Arian <Arian.Evans () fishnetsecurity com> wrote:I can say first hand that Mark is right on the Mark about blame, but worse, how many OWASP "Top 10 Certified" people will "throw out the baby with the bathwater" once compromised? I have numerous clients that want "Certified by my employer" on the OWASP Top 10. Guess what happens when they are broken. Blame is very important in a modern society. The American legal system is living proof. First they'll blame us. Then we'll show how we covered all the Top 10. Then they'll blame OWASP. (keep in mind this is a silly illustrative example and not reflective of the way my organization tests software or deals with clients) -ae-----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Sunday, July 10, 2005 1:25 AM To: Mark Curphey Cc: webappsec () securityfocus com; Jeff Williams Subject: Re: OWASP Top Ten - My Case For Updating It On 7/9/05, Mark Curphey <mark () curphey com> wrote:I think the OWASP Top Ten needs a serious re-think.i agree!!! :)novice companies will use the Top Ten as a testing yardstick. The PCIadoption is a dangerous issue that demonstrates this point.When MasterCardwere hacked the first thing the company did was to say theypassed the PCItests. This will be the case with the OWASP Top Ten.i disagree on this point. I don't think this will ever be the case. PCI is a standard that Merchants and Service Providers are "required" to follow. This is not the case of the OWASP Top Ten. OWASP does not require any website to implement the Top 10, neither can it. Thus OWASP Top 10 can not be used as a scapegoat. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- RE: OWASP Top Ten - The certification and blame problem Evans, Arian (Jul 12)
- Re: OWASP Top Ten - The certification and blame problem Eoin Keary (Jul 13)
- Re: OWASP Top Ten - The certification and blame problem Jeff Williams (Jul 13)
- Re: OWASP Top Ten - The certification and blame problem Matteo Meucci (Jul 13)
- <Possible follow-ups>
- RE: OWASP Top Ten - The certification and blame problem Steven M. Christey (Jul 13)
- Re: OWASP Top Ten - The certification and blame problem Eoin Keary (Jul 13)