Slightly off topic: the new #OWASP API Security Top Ten is coming out very soon. Right now the draft version has tons of comments in the "issues" section on #github, but most of them are vendor focused. If a vulnerability is not picked up by an automated scanner, it still needs to be on the list. You can make your voice heard by commenting on issues, here: https://lnkd.in/gU9QsEq3
Vendor focused? Could you point out a few of these to help me understand what you mean?
Look at Kali - Linux Purple - https://gitlab.com/kalilinux/documentation/kali-purple
Just wondering - have you posted any comments yourself? Everyone has the right to comment, both vendors and the community - it's OWASP responsibility to balance both - which they have done very well up till this point. In fact - this is how OWASP API TOP-10 came to be...
The team really thinks this is almost ready? There are fundamental conflicts - for instance, the idea that the list should only be unique to APIs, but includes several items from the Web Top 10. I know this is being done voluntarily and I'm sure it is overwhelming. I really appreciate the opportunity for public.commemt, too. Thank you to all the volunteers who have put in tons of time!
From new year celebrations i was waiting for this sequence of top 10 :)
Looking forward to the results. Maybe one issue should be “don’t trust TLS if you don’t validate both parties.”
I can not wait to dive into this!
Sales Engineer, Sr. Staff at Black Duck
1yTotally agre. I work for a vendor but still can’t accept an opinion that automatic tools can detect all type of vulns in all OWASP categories. You need not only tools, but also people who can assess apps for vulnerabilities that tools can’t detect.