[Owasp-topten] Outsider's View of Top Ten
r.boon at itsec-ss.nl
Tue Oct 25 04:18:09 EDT 2005
This is my first post to the topten list, please be gentle.
In my opinion the Top Ten is a good document to start a discussion on
the what and why of application security. From that perspective
unvalidated input is an issue that must be addressed in the Top Ten.
However, the lack of input validation in itself is not a vulnerability.
Input validation is a way to mitigate and resolve the other
vulnerabilities like SQL-injection. The lack of input validation can
result in a vulnerability like SQL-injection.
In the same manner, phishing (as suggested by ed) is not a vulnerability
but more a threat. Even if my application does not contain
vulnerabilities, it will not prevent an 'attacker' to create a phishing
e-mail containing the trojan-du-jour or a link to a shadow-site (a site
that looks like the real thing).
If there are going to be (regular) updates of the top 10, it would be a
good thing(tm) if there was some kind of last updated date or next
update date or some other kind of durability date.
Maybe the broad concepts mentioned in the Top Ten can be devided into
smaller pieces. For instance, Injection flaws can become SQL-injection,
This allows for updating the Top Ten when Command-injection becomes more
common than SQL-injection. I'm not sure how to measure this though.
PS. I enjoyed the DC conference.
More information about the Owasp-topten