8 comments

[ 2.6 ms ] story [ 27.1 ms ] thread
Using the serious sounding "Considered harmful" does not give the air of legitimacy that the author seeks.

"Considered harmful", "Considered obnoxious".

The title bit is a meme, not a plea for legitimacy.

While you can certainly dislike the meme, the interpretation you chose in your comment reads like a personal attack.

(comment deleted)
While I agree that "security" cannot be provided by a checklist, I very much think that security checklist (among other checklists) is still important to keep around.

If only for making sure you check for security issues that have slipped through before.

Sure I rather put all checks "in code", as part of an automated test suite. But we all no that for some checks that's simply not possible/feasible.

For me the problem that this article describes, people using the OWASP Top 10 as a checklist, isn't that checklists are innately a bad idea, but that the OWASP Top 10 isn't meant to be a checklist.

The Top 10 is a document designed to raise awareness of various web application security issues. Unfortunately it's a victim of its own success. People saw a defined list and jumped to the incorrect conclusion that this was a definitive list of the things you should look at to have a "secure" web application.

Unfortunately it's now become embedded in various places such that any attempt to change it causes lots of problems as people who are using it in ways it wasn't intended to be used get annoyed that if changed, it will no longer work for them.

On the more general point of checklists and security, I actually like them as a means of providing a common baseline of security in various arenas. The important part is realising that a checklist is generally a starting point and not the "be all and end all" of any effort.

This argument against checklists would apply anywhere for checklists: healthcare, airplane pre-flights, auto mechanics. Checklists enforce a minimum set of thought processes.

Suggesting checklists be discarded because some people don't do more than the minimum is a ridiculous misunderstanding of their value and human behavior.

This post argues for a detailed thought process of "Vulnerability Taxonomy" which could lead to new ideas, but also fails to enforce any minimum. Moreover, by encouraging exploration of various security areas (which is good) it still leaves you to your own knowledge which will be faulty and insufficient in some areas.

End result of this sounds like you'll have your own homegrown checklist, but it won't be called a checklist and it still won't adapt automatically and thinking will be required.