Ha, linkbait! And you fell for it. ;-)
Scott (@CiPHPerCoder) makes a fair point about security checklists being – mostly – complete rubbish. Well worth a read.
Until recently, a few checklists were given a pass because they were generally considered reputable among information security professionals. The reasons usually given vary from “At least this checklist isn’t that bad” to “It helps bridge a gap between security teams and development teams”. One such “christened checklist” was the infamous OWASP Top 10.
And then OWASP published their draft for the 2017 edition of the OWASP Top 10. The reactions and criticisms were equal parts appropriate and ferocious.
The addition of “A7. Insufficient Attack Protection” in the 2017 edition was enough to prompt a lot of information security professionals to decry the OWASP Top 10 project as a useful security tool. I’m arguing that this doesn’t go far enough.