[Owasp Source Flaws Top 10] int main(void) {printf("Hello World!\n"); return 0; }

Mon Dec 15 10:52:19 EST 2008

Paolo,

There are my first comments:

C1 - Design Weakness	A design weakness occurs when your business logic  
isn't strong enough to a threat modeling activity so it may be easy  
for an attacker to subvert your application behavior. Design is also  
about objects scope and visibility so extra care must be taken to what  
your program expose to others.

Makes more sense to me if the text can be changed to "A design  
weakness occurs when the logic used to create the application did not  
addressed a threat modeling activity". To use only business logic may  
be not right interpreted for non-technical readers.

C2 - Architectural Weakness	Your application at runtime is not a  
standalone part of the entire world, it depends over auxiliary system.  
An architectural weakness occurs when your code interact in a non safe  
way to auxiliary systems.

I prefer to use "auxiliary component" or even "support component"  
facing the fact that system can be interpreted only as an application,  
and we can use hardware, interfaces and other stuff here.

C4 - Insecure communications	Web applications use TCP/IP stack to  
communicate to the world, no magic in this. An insecure communication  
vulnerability seen from the source code point of you is about how  
operating system provided abstraction layer (sockets, ...),  
communication layer provided by framework (java sockets, ...) are  
used. This is more than just checking about SSL usage, this is about  
how the communication code is written.

In think that the description should be more precise. No ideas for  
now, but for a near future.

C7 - Misuse of local resources	Often people pretends that operating  
system provided resources are an infinite container of memory, disk  
space and cpu time. Well, it isn't. You must also consider that poorly  
designed local resource utilization, can lead an application to have  
poor response time and than it can lead to a denial of service if an  
attacker will try to consume all the resources.

Pretends or intends? Sounds a little bit strange for me.

Just my initial comments, shall we discuss?

Best,

Eduardo

On Dec 15, 2008, at 1:39 PM, Paolo Perego wrote:

> Hello there, so this is the first message in mailing list.
>
> I hope this will be a great community and that we'll provide a great  
> document to Owasp Community.
>
> This is the first draft of Top 10 I published: http://www.owasp.org/index.php/OWASP_Source_Code_Flaws_Top_10_Project_Index
> Does it make sense to you?
>
> Ciao ciao
> thesp0nge
> -- 
> "stay hungry, stay foolish"
>
> OWASP Orizon project, http://orizon.sourceforge.net
> "enjoy your code review experience"
> _______________________________________________
> Owasp-source-code-flaws-top-10 mailing list
> Owasp-source-code-flaws-top-10 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-source-code-flaws- 
> top-10

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-source-code-flaws-top-10/attachments/20081215/55f7f5e2/attachment.html 