[Owasp-bayarea] Feedback on Top 10 2017 RC2 released

prashant k v kvprashant at yahoo.com
Mon Oct 23 17:40:10 UTC 2017

There isnt  much awareness about Serialization issues. It will be great if someone can take a session on this vulnerability. I can help facilitate that session in upcoming OWASP meets in Bay area. Can someone volunteer ?

      From: io <blake at hotwan.com>
 To: Ricardo Iramar dos Santos <ricardo.iramar at owasp.org>; owasp-bayarea at lists.owasp.org 
Cc: owasp-leaders <owasp-leaders at lists.owasp.org>; OWASP Top-10 <owasp-topten at lists.owasp.org>; Neil Smithline <neil.smithline at owasp.org>
 Sent: Saturday, October 21, 2017 2:03 PM
 Subject: [Owasp-bayarea] Feedback on Top 10 2017 RC2 released
Hi Team,
For A4: XML External Entity (XXE) - I see a lot of that in the field though in terms of lack of configuration. Surprised to see little research has be done with embedded / inline files in XML.
Surprised we are including XML, where JSON implementations are rapidly overtaking it. No mention of HTML5 feature rich specific vulns neither. I guess more security research needs to be looked into these areas to make it to top 10.
I think the A8: Insecure Serialization is a good one with a big potential for further eye-opening research across different programming languages. A sign of our times in 2017.
I’m on the fence about A:10 Insufficient Logging and Monitoring. Though I see it everywhere in code and lack of, misconfigurations, etc. I  really don’t see it as an ‘ Legit' Attack Vector as each of the rest of the Top 10 categories are. It’s most always a Low finding anyways and geared more for a different profession such as Incident Response -which is Out-of-Scope.

Glad to see  "Insufficient Attack Protection” was removed. -That one seemed like a thinly veiled vendor pitch from some product pushing scum.
Questions, comments, Stimulating Ideas???
-Blake Turrentine


On Oct 21, 2017, at 4:22 AM, Ricardo Iramar dos Santos <ricardo.iramar at owasp.org> wrote:
Amazing updates! Congratulations to the team!
On Fri, Oct 20, 2017 at 7:17 PM, Neil Smithline <neil.smithline at owasp.org> wrote:

We have just released RC2 at https://github.com/OWASP/ Top10/blob/master/2017/OWASP% 20Top%2010%202017%20RC2% 20Final.pdf
We have worked extensively to validate the methodology, obtained a great deal of data on over 114,000 apps, and obtained qualitative data via survey by 550 community members on the two new categories – insecure deserialization and insufficient logging and monitoring. 
We strongly urge for any corrections or issues to be logged at GitHub - https://github.com/OWASP/ Top10/issues 
Through public transparency, we provide traceability and ensure that all voices are heard during this final month before publication.
(We will be reaching out to translators shortly.)
Andrew van der StockBrian GlasNeil SmithlineTorsten Gigler

Neil SmithlineOWASP Top-10 Co-Leader at neil_smithline

______________________________ _________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/ mailman/listinfo/owasp-leaders

Ricardo Iramar dos Santoshttp://ricardo-iramar.comhttps://www.linkedin.com/in/iramarskype: ricardo.iramartwitter: ricardo_iramar"Yesterday is history, tomorrow is a mystery, but today is a gift. That is why it is called the present."_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org

Owasp-bayarea mailing list
Owasp-bayarea at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bayarea/attachments/20171023/a2ebb863/attachment.html>

More information about the Owasp-bayarea mailing list