Last week John Wagnon, David Holmes, and I (virtually) sat down with Jim Manico of Manicode Security to take a look an in depth look at the OWASP project. Among many other things within the security realm, including secure coding education and other services, Jim is currently serving his fourth term as a global board member for OWASP. It was an honor having him elevate our conversation on OWASP for this week of security month, his passion and command of the space brings a lot to the table. We hope you enjoy this discussion as much as we did.

Point/Counter-Point

 Jim made a lot of good points on the call, and he has some strong opinions on a few areas I thought would be helpful to share and ask you to pick a side. His paraphrased observations are below. Please take a side and argue your points in the comments!

  • OWASP Top 10 is really meant to be a starting point, NOT a standard. Many have shaped policy around the vulnerability severity Top 10 list, but is that enough to build policy from?
  • Encrypt EVERYTHING, there really isn’t a secure trust zone. Should there be ANY trust zones, or are the niche deployments and scenarios where this makes a lot of sense.
  • Claims-based access control is where it’s at! Traditional Role-based access controls…the way of the dinosaur, or do they have something to offer in the world of claims-based access? 

Resources

Jim mentioned a few resources on the call that are helpful in starting points when considering secure coding practices or moving toward a standard.

  1. OWASP Top 10 (2013)
  2. Application Security Verification Standard (ASVS 3.0)
  3. OWASP Top 10 Proactive Controls (2016)