I spoke about the latest OWASP Top Ten at my local OWASP chapter yesterday. To be frank, I wasn’t entirely sure why. This is by no means the first time I’ve given a talk about or framed by the Top Ten — indeed, when I was supposed to be giving this talk at the April chapter meeting, I was instead doing so elsewhere. But I figured that if any group of people is going to keep on top of the OWASP Top Ten, you’d think it would be people who go out of their way to attend a chapter meeting. Sure enough, everyone was familiar with the basic document but not necessarily the 2007 update. So for better or worse, especially since I had only a half hour, I just did a quick diff and highlighted the important changes. It was perhaps too casual an approach, but that’s the mood I was in. If you want more detailed discussion, I can certainly provide that at great length.

Then Gunnar Peterson gave a rapid-fire version of the talk he gave in Helsinki on his top ten list for Web services security issues. Amusingly, in Helsinki he was also preceded by someone talking about the OWASP Top Ten. Gunnar possesses an impressive ability too make the much-maligned WS-* security standards seem reasonable. More than reasonable: self-evident. Always a pleasure, Gunnar, thank you.

Almost inevitably, discussion turned to the question of what can be done to “make” developers write more secure software. This always sets me on edge, largely because of the subtext that software security is just a developer problem. There’s no question that developers need to learn more about writing secure software, but it is also true that security is too infrequently considered as part of the requirements or design phase. This has been much on my mind lately, since in the absence of security requirements I’m being forced to write them myself, so expect more from me on this soon.