[WEB SECURITY] 2009 Top 25 Programming Errors

Tom Brennan - Proactive Risk tomb at proactiverisk.com
Fri Jan 16 12:07:41 EST 2009


Seems like a perfect OWASP PodCast discussion for each of the respective
voices as a round table-panel.

https://www.owasp.org/index.php/OWASP_Podcast

Stay tuned.... If you want to be involved in it drop jim a note at
Jim at Manico.net


-Tom Brennan
 

-----Original Message-----
From: Pete Herzog [mailto:lists at isecom.org] 
Sent: Friday, January 16, 2009 9:57 AM
To: Steven M. Christey
Cc: Arian J. Evans; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] 2009 Top 25 Programming Errors

Hi,

I am a huge fan of Mitre's work. However in this case, I like the concept
but not the product.

>> I think that this thing needs to be approached and treated as a 
>> minimum standard of due care (in testing, building, measuring) 
>> because that is how it's going to be used.
> 
> We are trying to promote it as such, but that's not the message that's 
> being heard, as you and others are pointing out.

I guess what bothers me is why a Top 25 list? Doesn't that push the wrong
message that if you address 1 - 25 then 26 through 1000 are okay? Was #26
just not bad enough to worth mentioning?  What was the specific reason for
the cut off there? That's the danger in a minimum
standard-- the world is full of people who just want to do the bare minimum
and these lists promote exactly that this is good enough. Why not just make
a more thorough checklist of these practices as a living, evolving
framework/standard for developers? Wouldn't that have a lot more effect and
make it something actually worth companies trying to adhere to for
improvement rather than as a scapegoat? If it's a marketing thing you can
publish annually the top 25 from the standard on an annual basis. That
should work too and then there is a larger body of knowledge to go back to.
It would also avoid the top 10 problem OWASP had created. And it would allow
developers to use it as a framework to create a practical derivative from it
in the language they use.

Sincerely,
-pete.

www.isecom.org



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list