[Owasp-topten] Outsider's View of Top Ten
sebastien.deleersnyder at ascure.com
Wed Oct 26 06:19:05 EDT 2005
>> reflect the most and worst web app sec threats (and exploited
vulnerabilities) of today on real web applications
>Sure. But, how do you feel about Input Validation being on the list?
I think unvalidated input is one of the biggest vulnerabilities.
But: it is too general for what we want to achieve if it is used for
When I present unvalidated input, I always include:
? misconception of developers thinking that browser is the only program
that will be used as end-point.
=> of course we know better: Nikto, Nessus, Perl/Python , even telnet
I subdivide the unvalidated input vulnerability into the following
injection threats, e.g.:
Hidden field manipulation
All these threats can be mitigated by doing input validation.
>>It should thus also be pushed to OWASP members and it should be very
clear how we come to the updated top 10.
>>The real challenge is doing this without the usual FUD.
>Are you suggesting metrics?
What I mean is that this should be done in a very transparant way.
A questionnaire is a good idea here. But we should be very clear who our
> In addition to updating the doc, owasp needs to release a standard for
organizations like VISA and the FTC to reference.
>Then, owasp needs to talk to those organziations and attempt to get
them to use the "standard" instead of the "awareness" document.
I agree completely, but be aware that creating a standard is an enormous
task and that standardisation bodies are very slow for a reason: you
have to get general consensus. But this should definitely be a project
to be started: OWASP Secure Web Applications Standard
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten