Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I agree with you, in particular about the "password storage" stuff. OWASP has a particularly poor history of engaging with cryptography, and, because (I think) of the personalities involved, tend towards a "teach the controversy" approach anytime they're corrected.


Obviously OWASP can't be perfect. We may see the same security issues over and over but the details of particular problems will be specific to the code-base.

But stuff that is universal should be a lot better. Broken Auth page is so horrendous. They mention Broken-Auth then link to a 404 Session Management page, a white-paper on Session fixation, and a paper on password recovery.

It's bad. Instead of being a wikipedia where people can look up types of vulnerabilities, OWASP should try to have more pseudo-code or real code that developers can reference. They have some of this already but they need more


I think Wikipedia stands a better chance of being the Wikipedia of web security than OWASP does.


exactly. That seems to be what OWASP is trying to do right now...and it doesn't seem to be working because it isn't technical enough.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: