[Owasp-topten] OWASP Top Ten Possible Changes (long)

[Mark Curphey]

Chuck

I am responsible for running with the updated T10. I think its worth taking
a look at my original mail that sparked it to understand my motivation for
the update. I think it's a fundamental information modeling issue that needs
to be addressed first and then decide what fits into that model and where.
Again with respect I think some of your comments are mixing security
mechanisms, attack patterns, vulnerabilities and security techniques. This
makes any list a challenges to implement effectively and to measure against
effectively. I agree with the essence of what you are saying and I think
this will all find a great home inside a good information model. 

I plan to start this next week. I am in touch with the PCI folks, planning
to meet with Mitre and the CVE folks over the next two weeks (hopefully) and
have Mike Howard, John Viega, Andy Jaquith (Yankee) as enlisted reviewers.
There is a lot of good work going on in the space and it makes sense to
leverage it rather than reinvent the wheel.

My plan is to present a strawman to the top ten list within two weeks that
can be pulled apart (if needed) and then well add the flesh to the strawman.
This will be completed by the end of August. 

Make sense ?

-----Original Message-----
From: owasp-topten-admin at lists.sourceforge.net
[mailto:owasp-topten-admin at lists.sourceforge.net] On Behalf Of Chuck
Sent: Tuesday, July 26, 2005 1:08 PM
To: owasp-washington at lists.sourceforge.net;
owasp-topten at lists.sourceforge.net
Subject: [Owasp-topten] OWASP Top Ten Possible Changes (long)

Hi all,

We discussed updating the Top Ten list at the OWASP-Washington meeting last
week and that has had me thinking about it.  I think that there are a couple
issues that could be addressed, so I decided to put them down and see what
others think.  This is a work in progress, so please respond if you like it
or think I am off base.

I know a lot of people are probably on their way to Vegas today so I don't
expect much discussion this week, but maybe next week.  I'll be at DefCon,
so maybe I'll see some of you out there.

For reference, here is the current Top Ten:
A1 Unvalidated Input
A2 Broken Access Control
A3 Broken Authentication and Session Management
A4 Cross Site Scripting (XSS) Flaws
A5 Buffer Overflows
A6 Injection Flaws
A7 Improper Error Handling
A8 Insecure Storage
A9 Denial of Service
A10 Insecure Configuration Management


Issue: A1 overlaps with A4, A5, and A6.
Possible Solution: I think we should either eliminate A4, A5, and A6 or
eliminate A1.  I prefer to eliminate A4-A6 to make room for more
vulnerabilities.


Issue: A2 and A3 include a lot of different issues.