Tanya Janca’s Post

View profile for Tanya Janca, graphic

Semgrep Nerd - Secure Coding Trainer - Best-selling author of Alice and Bob Secure Coding AND Alice and Bob Learn Application Security #AppSec #DevSecOps she/her SheHacksPurple

Slightly off topic: the new #OWASP API Security Top Ten is coming out very soon. Right now the draft version has tons of comments in the "issues" section on #github, but most of them are vendor focused. If a vulnerability is not picked up by an automated scanner, it still needs to be on the list. You can make your voice heard by commenting on issues, here: https://lnkd.in/gU9QsEq3

GitHub - OWASP/API-Security: OWASP API Security Project

GitHub - OWASP/API-Security: OWASP API Security Project

github.com

Eugene Pakhomov, CISSP

Sales Engineer, Sr. Staff at Black Duck

1y

Totally agre. I work for a vendor but still can’t accept an opinion that automatic tools can detect all type of vulns in all OWASP categories. You need not only tools, but also people who can assess apps for vulnerabilities that tools can’t detect.

Jeff Williams

Creating highly effective application security programs

1y

Vendor focused? Could you point out a few of these to help me understand what you mean?

Luther "Chip" Harris

Sr. Cyber-Security Administrator and Ethical Hacker/Pentester/Investigator , Nerd, Teacher, Public Speaker, Cyber Security Content Creator, and Evangelist for Cyber Security and Privacy

1y
Yaniv Balmas

VP Research, Salt Security

1y

Just wondering - have you posted any comments yourself? Everyone has the right to comment, both vendors and the community - it's OWASP responsibility to balance both - which they have done very well up till this point. In fact - this is how OWASP API TOP-10 came to be...

John Overbaugh

Chief Information Security Officer | Board Member | Adviser Currently not open to unsolicited vendor offers.

1y

The team really thinks this is almost ready? There are fundamental conflicts - for instance, the idea that the list should only be unique to APIs, but includes several items from the Web Top 10. I know this is being done voluntarily and I'm sure it is overwhelming. I really appreciate the opportunity for public.commemt, too. Thank you to all the volunteers who have put in tons of time!

Mohammed Janibasha

Senior Software Engineer @ F5 | Cloud Security | OWASP | App Security | Proxy | K8s, AWS & Terraform Certified | QA | Devops | Python | Ansible | CICD | SAAS

1y

From new year celebrations i was waiting for this sequence of top 10 :)

Looking forward to the results. Maybe one issue should be “don’t trust TLS if you don’t validate both parties.”

Matthew B

IT Manager / Senior Systems Consultant / Application & Infrastructure Specialist / Senior Virt Specialist / Cyber Sec. / Web3

1y

I can not wait to dive into this!

See more comments

To view or add a comment, sign in

Explore topics