[WEB SECURITY] 2009 Top 25 Programming Errors
Pete Herzog
lists at isecom.org
Fri Jan 16 09:57:24 EST 2009
Hi,
I am a huge fan of Mitre's work. However in this case, I like the
concept but not the product.
>> I think that this thing needs to be approached and treated as a minimum
>> standard of due care (in testing, building, measuring) because that is
>> how it's going to be used.
>
> We are trying to promote it as such, but that's not the message that's
> being heard, as you and others are pointing out.
I guess what bothers me is why a Top 25 list? Doesn't that push the
wrong message that if you address 1 - 25 then 26 through 1000 are
okay? Was #26 just not bad enough to worth mentioning? What was the
specific reason for the cut off there? That's the danger in a minimum
standard-- the world is full of people who just want to do the bare
minimum and these lists promote exactly that this is good enough. Why
not just make a more thorough checklist of these practices as a
living, evolving framework/standard for developers? Wouldn't that have
a lot more effect and make it something actually worth companies
trying to adhere to for improvement rather than as a scapegoat? If
it's a marketing thing you can publish annually the top 25 from the
standard on an annual basis. That should work too and then there is a
larger body of knowledge to go back to. It would also avoid the top 10
problem OWASP had created. And it would allow developers to use it as
a framework to create a practical derivative from it in the language
they use.
Sincerely,
-pete.
www.isecom.org
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list