RE: OWASP Top Ten - dev process

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

> Admitting that I helped get this line of thinking rolling, is 
> the top ten
> really the place to tell people how to "build software" (especially
> enterprise class)? There are entire bookshelves at Barnes and 
> Noble about that.

Yes you are right. Definitely not telling folks how to build
software. Lots of folks though are looking for help in understanding
how to add security to software building and for folks like us
to share pragmatic wisdom.

Every time I give an example of why most account self-service
portals are bad to developers or the business they go "oh, yeah,
duh" but the obvious issues aren't top-10 and aren't written
down anywhere that I know of.

By retooling I meant something along Curphey's lines of creating
some new documents that cover these other areas.

"OWASP T10 Threats of Insecure Software"
[...]
"OWASP T10 Knowledge Nuggets to Building Secure Software"

T1--how to use .NET regex validators or Java regex whatevers
T2--how not to use cookies
T3--how not to build dynamic queries

Something like that.

Joel on software style would be useful from my perspective;
causal language, essay-style.

Of course there are starting to be some good books out there
like Sverre's "Innocent Code" but I was thinking of material
with more platform-specific code examples.

Anyway I'll leave that for the T10 mailing list.

-ae








The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.