[WEB SECURITY] 2009 Top 25 Programming Errors

Andy Steingruebl steingra at gmail.com
Wed Jan 14 14:17:47 EST 2009

On Wed, Jan 14, 2009 at 10:20 AM, Arian J. Evans
<arian.evans at anachronic.com> wrote:
> For all of you ignoring this -- this is going to replace the OWASP Top
> 10 and WASC TC 1.0 or 2.0 etc. That is the goal/agenda of SANS & CWE.
> Begin press releases, beat the marketing campaign drums.

How are any of these "Standards" anyway?  I'm not sure I understand
what you're getting at here.  Are you saying there ought to be some
standard that tells people what they have to check for and that ought
to be the TC2.0?  If so, I think that is misguided as well.

In either case though people are looking for requirements to stick
into software purchase contracts to describe minimum security levels
for something.  None of these lists is particularly well suited to
that task, but at the same time the CC (Common Criteria) wasn't
exactly fitting that need either.  Maybe you'd like to write a
protection profile that your COTS software must meet?  Not me.

So, while the language of the list of items might not be perfect, I do
have a lot of respect for the CWE itself, as it does a pretty good job
as a taxonomy.

What are you looking to have produced to counter this?  How does the
TC fit into that at all?

Andy Steingruebl
steingra at gmail.com

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list