Packing the gear

So, I want to start this post off with an apology to the OWASP top 10.  I have not said, over the course of the last 2 years or so, much in the way of niceness towards it.  However, over the course of the last few days I have realized that I was wrong.  I have two biases that have got in the way.


I adamantly believe that check list mentality is responsible for a fire and forget approach to “secure” software.  Well, to be fair its responsible for a lot of bare minimums and superficialities in general.  So a list of top 10 vulnerabilities represented a bit of angst for me.  I prefer a deep, rich, mature set of principles instead.

Classical Arts

I have a relatively long history of studying 2 classical systems of martial arts.  I come from the sort of place where practicing scales and transitions is the way to play great music.  We don’t learn songs like hobbyists, but instead study the differences between fractions of inches.  When you know the scales, you create music.


Good bad or indifferent, they are still biases.  Luckily I also like to chase answers… even if they lead me find out that I’ve been wrong for a long while.  Hence the apology.

In a conversation a few days ago I made the foolish statement of, “You don’t create a martial system based on the top 10 ways someone got beat up in 2009.”  The problem with that statement is that often times they do (or did at any rate).  In one system I study, for instance, we have a whole set of techniques designed to attack a very specific school of swordsmanship.  The school essentially said,”here are the top n-ways these guys attack, so lets come up with some defenses against them”.  The degree of which it was effective I don’t really know… but we are still around and they aren’t.  So booyah. This pattern isn’t unique to our ryu.  I know many schools that teach techniques vested solely in attack/defense against another school.

But that really isn’t the only reason I was wrong.  The second reason I was wrong comes from not remembering the times where I’ve assisted in training cops, health care providers, and body guards (respectively, not all at once).  In all cases we had only a limited exposure with the groups, so we had to focus on some of the most reasonable and effective means of preparing them.  While I promise they were shown some of the scales, but that’s not where we spent most of the time playing music.  They learned a subset of reasonable skills to protect themselves.


Now, did that training make them Chuck Norris?  No.  But that’s not really what they set out to do.  They wanted a set of primary techniques they could leverage to defend themselves reasonably.  The people who wanted something else came back for more later.

What that means, applied to the OWASP top 10, is pretty obvious to me now.  The top 10 is not the way to becoming the worlds greatest defender of code.  But that doesn’t mean it’s not a good place to learn to reasonably defend your application either.  It’s actually a really good place to start.

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: