<html><head></head><body bgcolor="#FFFFFF"><div>I am trying to secure funds to reboot many projects, top 10 is one of them.</div><div><br><br>Eoin Keary<div>BCC Risk Advisory</div><div>Owasp Global Board</div><div>+353 87 977 2988</div><div><br></div></div><div><br>On 23 Mar 2012, at 13:39, David Rook <<a href="mailto:david.rook@realexpayments.com">david.rook@realexpayments.com</a>> wrote:<br><br></div><div><span></span></div><blockquote type="cite"><div>
  
    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
  
  
    Definitely no harm in suggesting it, I'd be surprised if we were the
    only ones have this kind of discussion after reading the DBIR!<br>
    <br>
    New top 10 must be due soon anyway right Eoin?<br>
    <br>
    On 23/03/2012 13:34, Eoin wrote:
    <blockquote cite="mid:0F7BE2FE-DA7A-40BD-8626-14250C7CD76F@owasp.org" type="cite">
      <div>Alexis, assuming this is the case if say we need to re
        contextualise the top 10</div>
      <div>As most common. </div>
      <div>Shall we propose this to the project leads??</div>
      <div><br>
        <br>
        Eoin Keary
        <div>BCC Risk Advisory</div>
        <div>Owasp Global Board</div>
        <div>+353 87 977 2988</div>
        <div><br>
        </div>
      </div>
      <div><br>
        On 23 Mar 2012, at 12:51, Alexis FitzGerald <<a moz-do-not-send="true" href="mailto:alexis@rits.ie">alexis@rits.ie</a>>
        wrote:<br>
        <br>
      </div>
      <div><span></span></div>
      <blockquote type="cite">
        <div>
          <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
          According to:<br>
          <ul>
            <li><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/Top_10_2010">https://www.owasp.org/index.php/Top_10_2010</a>:</li>
          </ul>
          The OWASP Top 10 "presents a more concise risk focused list of
          the Top 10 Most Critical Web Application Security Risks."<br>
          It's about risk - not just "discovered vulnerabiities"<br>
          <br>
          A simple definition of risk is:<br>
              risk= likelihood * impact<br>
          <br>
          If you accept the DBIR evidence, then the likelihood of XSS
          must be low (since it is not even mentioned), therefore the
          risk from XSS is correspondingly low (eventhough it is
          commonly found)<br>
          <br>
          The question then arises does the OWASP list of "Top 10 Most
          Critical Web Application Security Risks" rate XSS too high?<br>
          <br>
          Alexis<br>
          <br>
          On 23/03/2012 13:20, David Rook wrote:
          <blockquote cite="mid:4F6C6AAB.2070600@realexpayments.com" type="cite">
            <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
            Already submitted something Eoin!<br>
            <br>
            On the developers point I was recently speaking with Lorna
            Alamri about app sec conferences in general and I suggested
            something similar. Specifically my one liner on that was:<br>
            <br>
            "Get developers to come and speak, get them to tell the
            security people in the audience why they find it hard to
            write secure code"<br>
            <br>
            Someone like Niall Jordan (I'm sure he is reading these
            emails!) would be ideal for that in my opinion with the
            background he has - both sides of the table in recent times.
            I can send a message to our developers here to see if anyone
            fancies doing something like that as well.<br>
            <br>
            On 23/03/2012 12:14, Eoin wrote:
            <blockquote cite="mid:CAB0dSK5vM31wQO3LN2Vzn4jhBnfx=9ybLtsy3F5N_n-KJKiu-Q@mail.gmail.com" type="cite">
              <div>Correct,</div>
              <div>The latest WhiteHat report has XSS as second,
                Information leakage as #1</div>
              <div> </div>
              <div>Hope you are going to submit (CFP) something for
                OWASP Ireland 2012 (September)?</div>
              <div>Other people on the list please get involved
                also......</div>
              <div> </div>
              <div>I'd love for some developers to talk at the event
                discussing problems they have with security and how can
                it be easier to do!!??</div>
              <div> </div>
              <div>We have Keynotes:</div>
              <div>Jeremiah Grossman, Michael Coates + 1 more</div>
              <div>And a good panel to be chaired by Bryce Bolland (UBS
                Security CTO)</div>
              <div> </div>
              <div> </div>
              <div> </div>
              <div> </div>
              <div> </div>
              <div><br>
                <br>
                 </div>
              <div class="gmail_quote">On 23 March 2012 12:07, David
                Rook <span dir="ltr"><<a moz-do-not-send="true" href="mailto:david.rook@realexpayments.com">david.rook@realexpayments.com</a>></span>
                wrote:<br>
                <blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px
                  0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">
                  <div bgcolor="#FFFFFF" text="#000000">Hi Eoin,<br>
                    <br>
                    I think your final point hits the nail on the head,
                    after all it's not a report detailing the most
                    commonly found vulns but the vectors used to steal
                    data and whilst XSS could have been involved it
                    wasn't the way the data was stolen if that makes
                    sense.<br>
                    <br>
                    I'm sure if you looked at the latest White Hat
                    Security report for example it would show XSS as
                    being a common vuln and I don't think any would
                    argue against that :)<br>
                    <br>
                    Dave
                    <div>
                      <div class="h5"><br>
                        <br>
                        On 23/03/2012 12:01, Eoin wrote:
                        <blockquote type="cite">
                          <div>Hi David,</div>
                          <div> </div>
                          <div>I'll admit i did not read the report:)</div>
                          <div> </div>
                          <div>So the Verizon report pretty much says
                            XSS is not used very much to cause havok!!</div>
                          <div>It would be good to read other reports to
                            see if they say similar??</div>
                          <div> </div>
                          <div>So are we as security peeps barking up
                            the wrong tree.... I think the OWASP Top 10
                            is based on discovered issues as opposed to
                            breaches if that makes sense - The most
                            common vulns found.</div>
                          <div> </div>
                          <div>-ek</div>
                          <div> </div>
                          <div><br>
                            <br>
                             </div>
                          <div class="gmail_quote">On 23 March 2012
                            08:58, David Rook <span dir="ltr"><<a moz-do-not-send="true" href="mailto:david.rook@realexpayments.com" target="_blank">david.rook@realexpayments.com</a>></span>
                            wrote:<br>
                            <blockquote style="BORDER-LEFT:#ccc 1px
                              solid;MARGIN:0px 0px 0px
                              0.8ex;PADDING-LEFT:1ex" class="gmail_quote">
                              <div bgcolor="#FFFFFF" text="#000000">Hi
                                Eoin,
                                <div><br>
                                </div>
                                <div>Yep it can do but how malware was
                                  installed was included in the report
                                  as well and XSS is going to account
                                  for very few of those infections I
                                  think. According to the report 95% of
                                  all malware used in those data
                                  breaches was installed after the
                                  attacker got access to the system, at
                                  best I think only around 3% of the
                                  malware used in data breaches came
                                  from web app vulns being exploited (2%
                                  "injected by attacker" and 1% "drive
                                  by web attacks"). </div>
                                <div><br>
                                  It could be that the malware installed
                                  via an XSS exploit is part of the 95%
                                  but if it was a significant chunk of
                                  that I'd have expected it to be called
                                  out in the report.<br>
                                  <br>
                                </div>
                                <div>I could be reading that part of the
                                  report wrong though :)</div>
                                <div><br>
                                </div>
                                <div>Dave</div>
                                <div>
                                  <div><br>
                                    <br>
                                    On 22/03/2012 17:13, Eoin wrote:
                                    <blockquote type="cite">
                                      <div>But xss leads to malware
                                        upload? It's a payload delivery
                                        system.</div>
                                      <div>Agree??<br>
                                        <br>
                                        Eoin Keary
                                        <div>BCC Risk Advisory</div>
                                        <div>Owasp Global Board</div>
                                        <div><a moz-do-not-send="true" href="tel:%2B353%2087%20977%202988" target="_blank" value="+353879772988">+353
                                            87 977 2988</a></div>
                                        <div><br>
                                        </div>
                                      </div>
                                      <div><br>
                                        On 22 Mar 2012, at 16:48, David
                                        Rook <<a moz-do-not-send="true" href="mailto:david.rook@realexpayments.com" target="_blank">david.rook@realexpayments.com</a>>


                                        wrote:<br>
                                        <br>
                                      </div>
                                      <blockquote type="cite">
                                        <div>Hi Alexis,<br>
                                          <br>
                                          I'd say your final question is
                                          correct. I'm not doubting they
                                          are big issues (in that they
                                          can be exploited and are in
                                          many web apps) but they aren't
                                          in the same league as the
                                          vectors mentioned in the
                                          report. I can't remember a big
                                          CSRF news story for example
                                          yet alone one that lead to a
                                          lot of data being stolen.<br>
                                          <br>
                                          Dave<br>
                                          <br>
                                          On 22/03/2012 16:40, Alexis
                                          FitzGerald wrote:
                                          <blockquote type="cite"><br>
                                            I could not find any mention
                                            of XSS (or CSRF). At least
                                            they were mentioned in last
                                            year's edition. Does this
                                            mean that the OWASP Top 10
                                            puts too much of an emphasis
                                            on these issues? While they
                                            might be prevalent in online
                                            applications, they are not
                                            actually exploited much in
                                            actual data breaches? <br>
                                            <br>
                                            Opinions welcome.<br>
                                            <br>
                                            Alexis<br>
                                            <br>
                                            On 22/03/2012 16:47, David
                                            Rook wrote:
                                            <blockquote type="cite">Hi
                                              Fabio,<br>
                                              <br>
                                              What I found interesting
                                              is that of the vectors
                                              included in the hacking
                                              category 90% of the
                                              breaches were because of
                                              non app sec issues! I was
                                              a bit surprised by that
                                              and it is very different
                                              when the report focuses on
                                              "large" organisations
                                              (54%) but it does provide
                                              a strong argument for app
                                              sec v non app sec spend <b>not
                                              </b>being equal.<br>
                                              <br>
                                              Sure app sec spend needs
                                              to increase but using the
                                              evidence presented in this
                                              report (and I acknowledge
                                              it's not the complete
                                              picture of course) it's a
                                              tough sell to convince
                                              people that app sec spend
                                              should be equal to or more
                                              than non app sec spend.<br>
                                              <br>
                                              Veracode published a blog
                                              which pulled out the a</blockquote></blockquote></div></blockquote></blockquote></div></div></div></blockquote></div></blockquote></div></div></div></blockquote></div></blockquote></blockquote></div></blockquote></blockquote></div></blockquote></body></html>