[Owasp-board] OWASP Top 10 ... Done!

Dinis Cruz dinis at ddplus.net
Mon Jan 29 15:12:52 UTC 2007


Hi Dave, I just had a quick chat with Andrew about one medium change (it was
quicker to talk than to write)

Basically I asked if we could change A3 – Insecure Remote File Include to A3
- Malicious Remote File Execution (or even A3 - Malicious File Execution or
even A3 - Malicious Code Execution) since this covers the PHP remote file
include issue, XSS/XSD Injections, remote file upload via
uploadFile.aspx/uploadFile.jsp
and using reflection to invoke .Net/Java classes directly. it also makes
reference to the real problem that our web apps today have that their
security (and the surrounding environment) are depended on the non-execution
of malicious code.

Of course one of the solutions for this is to use Sandboxes that limit what
that code can do :)

Jeff, Dave, what do you think? (Andrew was ok with it and (after talking to
Jeff today) is able to make these small changes)

I think that the proposed title is a good compromise between Andrew's
request to have the PHP remote include in there and my request to have
sandbox issue in there (and it affects ALL web apps, so it is not PHP
specific).

Sorry for not raising this issue earlier, but I was looking the proposed new
title (which only occurred to me this weekend)

Dinis



On 1/29/07, Dave Wichers <dave.wichers at owasp.org> wrote:
>
> Andrew,
>
> Excellent job finishing all this up. Looks great. I did one more quick
> pass
> through your changes and made a few more minor edits / corrections.
>
> It is attached and I agree it's ready to go.
>
> Jeff/Dinis?
>
> -Dave
>
> -----Original Message-----
> From: Andrew van der Stock [mailto:vanderaj at aspectsecurity.com]
> Sent: Monday, January 29, 2007 2:51 AM
> To: Jeff Williams; Dave Wichers; Dinis Cruz
> Subject: OWASP Top 10 ... Done!
>
> Hi guys,
>
> I've spent a goodly portion of this weekend going through the Top 10 Dave
> sent through with a fine tooth comb.
>
> Some of the changes:
>
> * Fixed / resolved all of Dave's comments and yellow text
> * Replaced some text to be clearer (generally near where Dave's comments
> were)
> * Updated graph and tables to adhere to new chapter names and update the
> stats as per their raw values
> * Fitted the summary onto a single page
> * All samples in all 10 chapters actually go somewhere useful
> * Improved links and references
> * Added one new section (Vulnerabilities, not attacks) as one comment I
> got
> from Jeremiah re: my ToC post to my blog last month, was that the ToC
> doesn't deal with phishing, identity theft, etc. So I added a section
> showing how this T10 deals with those sorts of attacks and a few others
>
> Dinis/Jeff/Dave, if you're happy, I'm happy with this draft and I consider
> it ready to be forwarded to -leaders and the T10 list. Even if it's now
> not
> as perfect as it could be, I think we can make further changes during the
> comments period rather than hanging on to it any longer.
>
> It's time to get this baby out the door!
>
> Thanks,
> Andrew
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>


-- 
Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
http://www.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070129/994d6c2b/attachment-0002.html>


More information about the Owasp-board mailing list