I'd previously mentioned the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors, which ComputerWeekly said New York State was updating its procurement terms (application security procurement language) to address, with other states to follow. Latest version is now 5 April 2010.
It's useful for those buying software as well as developers, in terms of security requirements to specify in the contract.
I've mentioned it again as a reminder, because Heise Security report that the Open Web Application Security Project (OWASP) on 19 April 2010 released their Top 10 Web Security Risks for 2010 - another useful list.
Not surprisingly, there's a big overlap between the two lists.
©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.
Posts
2 comments:
The OWASP Top Ten 2010 encourages organisations to establish an application security program and, as you suggest, this needs to include security requirements in contracts with suppliers. The OWASP Software Assurance Maturity Model (SAMM) helps organisations formulate and implement a strategy for software security that is tailored to the specific risks facing their organisation.
The OWASP Application Security Verification Standard (ASVS) is probably a more useful document for organisations wanting to develop consistency and a defined level of rigor when assessing the security of web applications, developed in-house or elsewhere.
Note: For organisations handling payment cards, the OWASP Top Ten is referenced by PCI DSS and therefore those requirements have now changed.
(Comment submitted by an OWASP member and reviewer of the Top Ten 2010)
Thanks for the helpful comments Clerkendweller.
To anyone interested, I've found the link for the ASVS document Clerkendweller mentions, it's available at http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Downloads
Post a Comment