OWASP Top-10 is not a standard

... it's a starting point

This is a short one.

OWASP Top 10 is not a standard, though it's often used as such. It's an awareness document.

I've seen so many cases of people and organizations claiming that their solutions are secure, since they use the Top-10 list in their work, track Top-10 occurences – or that they're in compliance with OWASP Top-10, which doesn't make much sense...

Knowing about and acting upon the relatively simple vulnerabilities in the Top-10 list is a good start, but it's not by itself enough of a basis to claim good security™. There's more to know, and many places security should be plugged into your lifecycle – for instance:

If you're looking for a (compliance or regulatory) standard, look to the ASVS (Application Security Verification Standard), or similar projects.

Newer post
Data leakage via ambient light
Older post
My reflections on Smittestopp