Thursday, September 25, 2008
OWASP Web Services Top Ten
Gunnar Peterson presented this morning on the OWASP Web Services Top Ten. While many have become familiar with the OWASP Top Ten via PCI/DSS, many haven't considered what aspects are common between web applications and web services vs what is distinct.
I believe there are three action items for me upon hearing this most wonderful presentation.
1. On the long train ride back home, I need to compose all my thoughts on worst practices that I have came across within my travels and include even the ones that I have personally made. Hopefully, this will help provide additional guidance for others to develop secure web services.
2. We need to figure out that once this list is finalized, how vendors who produce web services as part of their product offering could immediately fix deficiencies in their products. For example, it would be wonderful if Craig Randall, Laurence Hart, Bex Huff and others within the ECM community were to be the first to embrace.
3. I also need to fail miserably and repeatedly in attempting to encourage industry analysts to dedicate a research report to aspects of developing secure web services. I will be pinging Gartner, Burton Group and Zapthink with others to follow..
| | View blog reactionsI believe there are three action items for me upon hearing this most wonderful presentation.
1. On the long train ride back home, I need to compose all my thoughts on worst practices that I have came across within my travels and include even the ones that I have personally made. Hopefully, this will help provide additional guidance for others to develop secure web services.
2. We need to figure out that once this list is finalized, how vendors who produce web services as part of their product offering could immediately fix deficiencies in their products. For example, it would be wonderful if Craig Randall, Laurence Hart, Bex Huff and others within the ECM community were to be the first to embrace.
3. I also need to fail miserably and repeatedly in attempting to encourage industry analysts to dedicate a research report to aspects of developing secure web services. I will be pinging Gartner, Burton Group and Zapthink with others to follow..
