[WEB SECURITY] 2009 Top 25 Programming Errors

Pete Herzog lists at isecom.org
Fri Jan 16 09:57:24 EST 2009


I am a huge fan of Mitre's work. However in this case, I like the 
concept but not the product.

>> I think that this thing needs to be approached and treated as a minimum
>> standard of due care (in testing, building, measuring) because that is
>> how it's going to be used.
> We are trying to promote it as such, but that's not the message that's
> being heard, as you and others are pointing out.

I guess what bothers me is why a Top 25 list? Doesn't that push the 
wrong message that if you address 1 - 25 then 26 through 1000 are 
okay? Was #26 just not bad enough to worth mentioning?  What was the 
specific reason for the cut off there? That's the danger in a minimum 
standard-- the world is full of people who just want to do the bare 
minimum and these lists promote exactly that this is good enough. Why 
not just make a more thorough checklist of these practices as a 
living, evolving framework/standard for developers? Wouldn't that have 
a lot more effect and make it something actually worth companies 
trying to adhere to for improvement rather than as a scapegoat? If 
it's a marketing thing you can publish annually the top 25 from the 
standard on an annual basis. That should work too and then there is a 
larger body of knowledge to go back to. It would also avoid the top 10 
problem OWASP had created. And it would allow developers to use it as 
a framework to create a practical derivative from it in the language 
they use.



Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list