Hi Rishi, Good post. For any development team, OWASP Top 10 Vulnerability protection is an achievable/tangible baseline to have, compliance-driven or not. I definitely agree that it shouldn't be the ONLY list to certify your app. against. And yes, a pen tester ought to look beyond it, provided the scope of engagement permits so.
On another note, OWASP Top 10 Proactive Control list is an interesting prevention-based approach ( https://www.owasp.org/index.php/OWASP_Proactive_Controls). Organizations could potentially use both OWASP Top 10 Vulnerabilities and OWASP Top 10 Proactive Controls to set a solid baseline first. Then go for a pen test from creative tester(s) and add the additional findings to the baseline. As time progresses, repeating the process would strengthen the testing posture. Ideally, securing all phases of the SDLC would be the perfect approach/solution, but, we live in a world full of release deadlines, time constraints, resource constraints, NFR perceptions etc. :-) Vishal On Wed, Aug 20, 2014 at 12:31 AM, Rishi Narang <i...@pwnstar.in> wrote: > Friends, > > I've written a blog on the assessment limitations that we restrict > ourselves to OWASP X and don't usually go beyond it. > > Let me know your comments or feel free to contact me. > > Blog Links - > LinkedIn - https > <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it> > :// > <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it> > www.linkedin.com > <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it> > /today/post/article/20140818151659-7472152- > <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it> > owasp > <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it> > -x-life-beyond-it > <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it> > > Personal Blog - https > <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>:// > <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>www.wtfuzz.com > <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>/blogs/ > <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>owasp > <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>- > <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>cheatsheet > <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>-not-bible/ > <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/> > > Cheers and have a good time! > > - Rishi > > _______________________________________________ > OWASP-Delhi mailing list > OWASP-Delhi@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-delhi > LinkedIn Group: https://www.linkedin.com/groups?gid=89270 > Twitter: https://twitter.com/OWASPdelhi >
_______________________________________________ OWASP-Delhi mailing list OWASP-Delhi@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-delhi LinkedIn Group: https://www.linkedin.com/groups?gid=89270 Twitter: https://twitter.com/OWASPdelhi
