[Owasp-ireland] The Verizon 2012 Data Breach Investigations Report is out!

Alexis FitzGerald alexis at rits.ie
Fri Mar 23 14:02:35 UTC 2012


I think the OWASP Top 10 should keep reflecting risk and not most common
vuls.
This way, development groups can then use it as a basis for prioritising
their efforts.
But sources such as DBIR etc. should be used by the OWASP Top 10 team as
evidence when revising the Top 10 - to more accurately reflect actual
likelihood.

The OWASP Top 10 seems to be on a 3 year cycle 2004,2007,2010 so the
next version would be due next year 2013

Alexis

On 23/03/2012 14:49, Eoin wrote:
> Yes indeed. The browser is also getting pretty important in terms of
> protecting clients also with x-frame and CSP.
>
>
> Eoin Keary
> BCC Risk Advisory
> Owasp Global Board
> +353 87 977 2988
>
>
> On 23 Mar 2012, at 13:41, David Rook <david.rook at realexpayments.com
> <mailto:david.rook at realexpayments.com>> wrote:
>
>> Hit send too quickly!
>>
>> Especially when you also consider a point Fabio included in his email
>> from the IBM report:
>>
>> "Fifty percent reduction in cross site scripting (XSS)
>> vulnerabilities due to improvements in software quality"
>>
>> On 23/03/2012 13:34, Eoin wrote:
>>> Alexis, assuming this is the case if say we need to re contextualise
>>> the top 10
>>> As most common. 
>>> Shall we propose this to the project leads??
>>>
>>>
>>> Eoin Keary
>>> BCC Risk Advisory
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>
>>> On 23 Mar 2012, at 12:51, Alexis FitzGerald <alexis at rits.ie
>>> <mailto:alexis at rits.ie>> wrote:
>>>
>>>> According to:
>>>>
>>>>   * https://www.owasp.org/index.php/Top_10_2010:
>>>>
>>>> The OWASP Top 10 "presents a more concise risk focused list of the
>>>> Top 10 Most Critical Web Application Security Risks."
>>>> It's about risk - not just "discovered vulnerabiities"
>>>>
>>>> A simple definition of risk is:
>>>>     risk= likelihood * impact
>>>>
>>>> If you accept the DBIR evidence, then the likelihood of XSS must be
>>>> low (since it is not even mentioned), therefore the risk from XSS
>>>> is correspondingly low (eventhough it is commonly found)
>>>>
>>>> The question then arises does the OWASP list of "Top 10 Most
>>>> Critical Web Application Security Risks" rate XSS too high?
>>>>
>>>> Alexis
>>>>
>>>> On 23/03/2012 13:20, David Rook wrote:
>>>>> Already submitted something Eoin!
>>>>>
>>>>> On the developers point I was recently speaking with Lorna Alamri
>>>>> about app sec conferences in general and I suggested something
>>>>> similar. Specifically my one liner on that was:
>>>>>
>>>>> "Get developers to come and speak, get them to tell the security
>>>>> people in the audience why they find it hard to write secure code"
>>>>>
>>>>> Someone like Niall Jordan (I'm sure he is reading these emails!)
>>>>> would be ideal for that in my opinion with the background he has -
>>>>> both sides of the table in recent times. I can send a message to
>>>>> our developers here to see if anyone fancies doing something like
>>>>> that as well.
>>>>>
>>>>> On 23/03/2012 12:14, Eoin wrote:
>>>>>> Correct,
>>>>>> The latest WhiteHat report has XSS as second, Information leakage
>>>>>> as #1
>>>>>>  
>>>>>> Hope you are going to submit (CFP) something for OWASP Ireland
>>>>>> 2012 (September)?
>>>>>> Other people on the list please get involved also......
>>>>>>  
>>>>>> I'd love for some developers to talk at the event discussing
>>>>>> problems they have with security and how can it be easier to do!!??
>>>>>>  
>>>>>> We have Keynotes:
>>>>>> Jeremiah Grossman, Michael Coates + 1 more
>>>>>> And a good panel to be chaired by Bryce Bolland (UBS Security CTO)
>>>>>>  
>>>>>>  
>>>>>>  
>>>>>>  
>>>>>>  
>>>>>>
>>>>>>
>>>>>>  
>>>>>> On 23 March 2012 12:07, David Rook <david.rook at realexpayments.com
>>>>>> <mailto:david.rook at realexpayments.com>> wrote:
>>>>>>
>>>>>>     Hi Eoin,
>>>>>>
>>>>>>     I think your final point hits the nail on the head, after all
>>>>>>     it's not a report detailing the most commonly found vulns but
>>>>>>     the vectors used to steal data and whilst XSS could have been
>>>>>>     involved it wasn't the way the data was stolen if that makes
>>>>>>     sense.
>>>>>>
>>>>>>     I'm sure if you looked at the latest White Hat Security
>>>>>>     report for example it would show XSS as being a common vuln
>>>>>>     and I don't think any would argue against that :)
>>>>>>
>>>>>>     Dave
>>>>>>
>>>>>>
>>>>>>     On 23/03/2012 12:01, Eoin wrote:
>>>>>>>     Hi David,
>>>>>>>      
>>>>>>>     I'll admit i did not read the report:)
>>>>>>>      
>>>>>>>     So the Verizon report pretty much says XSS is not used very
>>>>>>>     much to cause havok!!
>>>>>>>     It would be good to read other reports to see if they say
>>>>>>>     similar??
>>>>>>>      
>>>>>>>     So are we as security peeps barking up the wrong tree.... I
>>>>>>>     think the OWASP Top 10 is based on discovered issues as
>>>>>>>     opposed to breaches if that makes sense - The most common
>>>>>>>     vulns found.
>>>>>>>      
>>>>>>>     -ek
>>>>>>>      
>>>>>>>
>>>>>>>
>>>>>>>      
>>>>>>>     On 23 March 2012 08:58, David Rook
>>>>>>>     <david.rook at realexpayments.com
>>>>>>>     <mailto:david.rook at realexpayments.com>> wrote:
>>>>>>>
>>>>>>>         Hi Eoin,
>>>>>>>
>>>>>>>         Yep it can do but how malware was installed was included
>>>>>>>         in the report as well and XSS is going to account for
>>>>>>>         very few of those infections I think. According to the
>>>>>>>         report 95% of all malware used in those data breaches
>>>>>>>         was installed after the attacker got access to the
>>>>>>>         system, at best I think only around 3% of the malware
>>>>>>>         used in data breaches came from web app vulns being
>>>>>>>         exploited (2% "injected by attacker" and 1% "drive by
>>>>>>>         web attacks"). 
>>>>>>>
>>>>>>>         It could be that the malware installed via an XSS
>>>>>>>         exploit is part of the 95% but if it was a significant
>>>>>>>         chunk of that I'd have expected it to be called out in
>>>>>>>         the report.
>>>>>>>
>>>>>>>         I could be reading that part of the report wrong though :)
>>>>>>>
>>>>>>>         Dave
>>>>>>>
>>>>>>>
>>>>>>>         On 22/03/2012 17:13, Eoin wrote:
>>>>>>>>         But xss leads to malware upload? It's a payload
>>>>>>>>         delivery system.
>>>>>>>>         Agree??
>>>>>>>>
>>>>>>>>         Eoin Keary
>>>>>>>>         BCC Risk Advisory
>>>>>>>>         Owasp Global Board
>>>>>>>>         +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>>>>>>
>>>>>>>>
>>>>>>>>         On 22 Mar 2012, at 16:48, David Rook
>>>>>>>>         <david.rook at realexpayments.com
>>>>>>>>         <mailto:david.rook at realexpayments.com>> wrote:
>>>>>>>>
>>>>>>>>>         Hi Alexis,
>>>>>>>>>
>>>>>>>>>         I'd say your final question is correct. I'm not
>>>>>>>>>         doubting they are big issues (in that they can be
>>>>>>>>>         exploited and are in many web apps) but they aren't in
>>>>>>>>>         the same league as the vectors mentioned in the
>>>>>>>>>         report. I can't remember a big CSRF news story for
>>>>>>>>>         example yet alone one that lead to a lot of data being
>>>>>>>>>         stolen.
>>>>>>>>>
>>>>>>>>>         Dave
>>>>>>>>>
>>>>>>>>>         On 22/03/2012 16:40, Alexis FitzGerald wrote:
>>>>>>>>>>
>>>>>>>>>>         I could not find any mention of XSS (or CSRF). At
>>>>>>>>>>         least they were mentioned in last year's edition.
>>>>>>>>>>         Does this mean that the OWASP Top 10 puts too much of
>>>>>>>>>>         an emphasis on these issues? While they might be
>>>>>>>>>>         prevalent in online applications, they are not
>>>>>>>>>>         actually exploited much in actual data breaches?
>>>>>>>>>>
>>>>>>>>>>         Opinions welcome.
>>>>>>>>>>
>>>>>>>>>>         Alexis
>>>>>>>>>>
>>>>>>>>>>         On 22/03/2012 16:47, David Rook wrote:
>>>>>>>>>>>         Hi Fabio,
>>>>>>>>>>>
>>>>>>>>>>>         What I found interesting is that of the vectors
>>>>>>>>>>>         included in the hacking category 90% of the breaches
>>>>>>>>>>>         were because of non app sec issues! I was a bit
>>>>>>>>>>>         surprised by that and it is very different when the
>>>>>>>>>>>         report focuses on "large" organisations (54%) but it
>>>>>>>>>>>         does provide a strong argument for app sec v non app
>>>>>>>>>>>         sec spend *not *being equal.
>>>>>>>>>>>
>>>>>>>>>>>         Sure app sec spend needs to increase but using the
>>>>>>>>>>>         evidence presented in this report (and I acknowledge
>>>>>>>>>>>         it's not the complete picture of course) it's a
>>>>>>>>>>>         tough sell to convince people that app sec spend
>>>>>>>>>>>         should be equal to or more than non app sec spend.
>>>>>>>>>>>
>>>>>>>>>>>         Veracode published a blog
>>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20120323/cfadbe4c/attachment-0001.html>


More information about the Owasp-ireland mailing list