[Owasp-topten] Outsider's View of Top Ten

[Sebastien Deleersnyder]

Ed, List,
 
>> reflect the most and worst web app sec threats (and exploited
vulnerabilities) of today on real web applications
>Sure. But, how do you feel about Input Validation being on the list?
I think unvalidated input is one of the biggest vulnerabilities.
But: it is too general for what we want to achieve if it is used for
awareness.
When I present unvalidated input, I always include:
? misconception of developers thinking that browser is the only program
that will be used as end-point. 
=> of course we know better: Nikto, Nessus, Perl/Python , even telnet
... etc
I subdivide the unvalidated input vulnerability into the following 
injection threats, e.g.:
  SQL Injection
  OS Injection
  Parameter tampering
  Cookie poisoning
  Hidden field manipulation
XSS Injection
Buffer Overflows
All these threats can be mitigated by doing input validation.
 
>>It should thus also be pushed to OWASP members and it should be very
clear how we come to the updated top 10. 
>>The real challenge is doing this without the usual FUD.
>Are you suggesting metrics? 
What I mean is that this should be done in a very transparant way.
A questionnaire is a good idea here. But we should be very clear who our
questionnees are.
 
> In addition to updating the doc, owasp needs to release a standard for
organizations like VISA and the FTC to reference. 
>Then, owasp needs to talk to those organziations and attempt to get
them to use the "standard" instead of the "awareness" document.  
I agree completely, but be aware that creating a standard is an enormous
task and that standardisation bodies are very slow for a reason: you
have to get general consensus. But this should definitely be a project
to be started: OWASP Secure Web Applications Standard
 
regards,
 
Seba
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-topten/attachments/20051026/51fd189a/attachment.html