[pc86]

Playing devil's advocate, does it matter if she doesn't know what OWASP is specifically, if she has good security principles and designs secure systems? Saying "What's OWASP 10?" seems like a heuristic question rather than just trying to investigate what you're actually looking for - are they going to write shitty insecure code. I can say plenty of people will right secure code having never heard of OWASP, and plenty of people write terrible code with OWASP cheat sheets saved to their desktop.