- Image via Wikipedia
http://secureme.blogspot.com/2005/10/owasp-top-ten-is-really-owasp-top-65.html
This is somewhat dated, but so what? Most of the points raised still hold valid.
It opens:
CIO/CSO: “I just went to a very important luncheon meeting. First, they bought me steak, then they showed me powerpoint about this new security list, then we got to watch STAR WARS! I want our websites to be OWASP Top Ten certified by then end of the week!”
… and it goes on with the sad-but-true
Consultant: “Hello, I just completed CISSP boot camp. I am here to run OWASP Top Ten security scanning software and install a web application firewall! Cookies?
Sorry, I’m diabetic.”
Wasn’t there a Dilbert strip about that? “Invoking the awesome power of certification“?
Speaking of which:
Dilbert “Maybe we should first start with password protecting the website? Or fixing our expired SSL certificate?”
How true; how poignant! And we all know the response to that:
Consultant: “I’m sorry that is not on the list! hmm what to do? I will use the consultants Top Ten Scarry Word List!” Sarbanes-Oxley, HIPAA, PCI…”
Seriously, though: a while ago I read an article suggesting that how you title you posts or blogs was very important and used examples from magazines such as Cosmopolitan to illustrate that: “The top 10 ways …”, “10 things you should know” and such like were going to attract more readers.
Well heck, who wants to read an article titled:
“Six and a half ways to secure your web site”.
Maybe those into reverse psychology perhaps?
But please, do fix those expired SSL certificates.