On Jan 14, 2009, at 8:45 PM, Steven M. Christey wrote: > > To all, I'll ask a more strategic question - assuming we're agreed > that > the Top 25 is a non-optimal means to an end, what can the software > security community do better to raise awareness and see real-world > change?
From a Web Security point of view, have a look at the OWASP ASVS project: http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Abstract: "Whereas the OWASP Top Ten is a tool that provides web application security awareness, the OWASP Application Security Verification Standard (ASVS) is a commercially-workable open standard that defines ranges in coverage and levels of rigor that can be used to perform application security verifications ... The primary aim of the OWASP ASVS Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing application security verification using a commercially- workable open standard. This standard can be used to establish a level of confidence in the security of web applications." regards, Stephen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
