OWASP Top Ten is really the OWASP Top 6.5

Announcement of changes in company password po...
Image via Wikipedia

http://secureme.blogspot.com/2005/10/owasp-top-ten-is-really-owasp-top-65.html

This is somewhat dated, but so what? Most of the points raised still hold valid.
It opens:

CIO/CSO: “I just went to a very important luncheon meeting. First, they bought me steak, then they showed me powerpoint about this new security list, then we got to watch STAR WARS! I want our websites to be OWASP Top Ten certified by then end of the week!”

… and it goes on with the sad-but-true

Consultant: “Hello, I just completed CISSP boot camp. I am here to run OWASP Top Ten security scanning software and install a web application firewall! Cookies?
Sorry, I’m diabetic.”

Wasn’t there a Dilbert strip about that?   “Invoking the awesome power of certification“?

Speaking of which:

Dilbert “Maybe we should first start with password protecting the website? Or fixing our expired SSL certificate?”

How true; how poignant! And we all know the response to that:

Consultant: “I’m sorry that is not on the list! hmm what to do? I will use the consultants Top Ten Scarry Word List!” Sarbanes-Oxley, HIPAA, PCI…”

Seriously, though: a while ago I read an article suggesting that how you title you posts or blogs was very important and used examples from magazines such as Cosmopolitan to illustrate that: “The top 10 ways …”, “10 things you should know” and such like were going to attract more readers.

Well heck, who wants to read an article titled:

“Six and a half ways to secure your web site”.

Maybe those into reverse psychology perhaps?
But please, do fix those expired SSL certificates.

Reblog this post [with Zemanta]

About the author

Leave a Reply