[Owasp-leaders] Reaching developers = cooperative hackathons

Sherif Koussa sherif.koussa at gmail.com
Sat Sep 11 19:29:54 EDT 2010


Michael,

Great point, the decision what to include or not will be the project itself.
The decision that needs to be made right now whether OWASP want to fill this
void. Mobile application\development\security is coming whether we want to
or not, and mobile security is an issue and people are looking for guidance
in this area. I believe that OWASP is best positioned to fill this void.
Maybe the project would start as an amendment to the current Top 10 and
depending on the findings, it can either fork out to be its own or it can
remain as an amendment. Thoughts?

On Sat, Sep 11, 2010 at 5:41 PM, Michael Coates <michael.coates at owasp.org>wrote:

>  This will be an interesting issue to deal with.  Where are the
> boundaries of responsibility when thinking about the Mobile Top 10?
> Consider the scenario where a mobile app allows data to be submitted to
> a webserver and that data then results in an XSS attack which affects
> both mobile browsers and traditional browsers.  The vulnerability can be
> exploited to target both mobile browser users and computer based
> browsers. So if we were to develop a top 10 for mobile, could we
> realistically discount this scenario?
>
> I don't think we need to necessarily debate the issue here, but it is
> something for the mobile top 10 team to think about. How are these
> crossover issues between traditional browsers and mobile apps/ browsers
> handled?
>
>
> Michael Coates
> OWASP
>
>
> On 9/11/10 12:14 PM, Stephen de Vries wrote:
> > Hi Jim,
> >
> >> XSS still applies to the mobile world. Most mobile apps are tied to a
> website and can be a vector for submitting XSS payloads.
> > Mmmm, technically the issue is with the web app for not encoding the XSS
> payload.  The fact that the payload was injected via the mobile app isn't a
> flaw in the mobile client, it's a flaw on the web app side.
> >
> > Stephen
> >
> >
> >> On Sep 10, 2010, at 8:02 AM, Stephen de Vries <
> stephen at twisteddelight.org> wrote:
> >>
> >>> "Mobile security" means different things to different people.  For the
> purposes of creating another top ten IMO we should not consider any browser
> based app as a mobile app.  What we'll be left with is a generic
> client-server top ten, with a few sprinkles of mobile specific issues.
>  Comparing to existing web top ten:
> >>>
> >>> A1: Injection - still applies
> >>>
> >>> A2: Cross-Site Scripting (XSS) - N/A
> >>>
> >>> A3: Broken Authentication and Session Management - Still applies,
> although session man will need changing.  Broken auth might include things
> like using the mobile number or IMEI as a credential.  Then again that
> doesn't apply to tablet which are also now "mobile" devices.
> >>>
> >>> A4: Insecure Direct Object References - N/A in it's current form.
>  Direct access to objects passed over RMI maybe.
> >>>
> >>> A5: Cross-Site Request Forgery (CSRF) - N/A
> >>>
> >>> A6: Security Misconfiguration - still applies
> >>>
> >>> A7: Insecure Cryptographic Storage - still applies
> >>>
> >>> A8: Failure to Restrict URL Access - N/A in current form.  Could be
> changed to Access Control Failure, or Access Control enforced on the client
> side.
> >>>
> >>> A9: Insufficient Transport Layer Protection - still applies
> >>>
> >>> A10: Unvalidated Redirects and Forwards - N/A.
> >>>
> >>> For the additional issues, the biggies will be implementing security
> functionality on the client rather than the server and persistent storage on
> the client given the increased risk of compromise of the device itself.
> >>>
> >>>
> >>> Stephen
> >>>
> >>>>
> >>>> On Fri, Sep 10, 2010 at 10:34 AM, Dave Wichers <
> dave.wichers at owasp.org> wrote:
> >>>> I’d be happy to see both styles of Top 10’s developed.
> >>>>
> >>>>
> >>>> Regarding the Top 10 for Mobile. I’d love for a group of mobile
> security experts to explore whether it truly is different than the existing
> Top 10 and why. And then let us know what they have discovered and have that
> reviewed by the community. If the rough consensus is that it is truly
> different, then it would be great to write one. If the consensus is that it
> is very similar, maybe we should write an ‘interpretation’ of the Top 10 in
> the Mobile environment, or if, we decide its essentially the same set of
> risks, then we should state that publicly on the wiki.
> >>>>
> >>>>
> >>>> I don’t know which way it will fall, but I’d love to hear what people
> think on this subject.
> >>>>
> >>>>
> >>>> -Dave
> >>>>
> >>>>
> >>>> From: owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
> >>>> Sent: Thursday, September 09, 2010 11:58 AM
> >>>>
> >>>>
> >>>> To: owasp-leaders at lists.owasp.org
> >>>> Subject: Re: [Owasp-leaders] Reaching developers = cooperative
> hackathons
> >>>>
> >>>>
> >>>>
> >>>> More importantly, I think we need to put •language specific• Top Tens'
> out front.
> >>>>
> >>>>
> >>>> OWASP Top Ten for PHP
> >>>>
> >>>> OWASP Top Ten for Java
> >>>>
> >>>> Etc
> >>>>
> >>>>
> >>>> This will help OWASP reach developers in a more prolific way.
> >>>>
> >>>> -Jim Manico
> >>>>
> >>>> http://manico.net
> >>>>
> >>>>
> >>>> On Sep 9, 2010, at 5:19 AM, Sherif Koussa <sherif.koussa at gmail.com>
> wrote:
> >>>>
> >>>> Would the leaders think there is value in starting a Top Ten for
> Mobile Applications? Or would that lie sort of outside the boundaries of
> OWASP since they might not typically be "web" applications?
> >>>>
> >>>>
> >>>> Regards,
> >>>>
> >>>> Sherif
> >>>>
> >>>>
> >>>> On Wed, Sep 8, 2010 at 10:38 AM, Dave Wichers <dave.wichers at owasp.org>
> wrote:
> >>>>
> >>>> I would like to see more top ten lists and I think this is a
> reasonable list to shoot for.  And I hope it would echo similar sentiments
> that are presented by the OWASP Guide. And if not, they should be synced up.
> >>>>
> >>>>
> >>>> I still want to get a real Top Ten for Web Services done. We took a
> shot back in 2008 but I haven’t had the energy to really get it completed.
> >>>>
> >>>>
> >>>> -Dave
> >>>>
> >>>>
> >>>> Dave Wichers
> >>>>
> >>>> OWASP Top 10 Project Lead
> >>>>
> >>>>
> >>>> From: owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] On Behalf Of James McGovern
> >>>> Sent: Wednesday, September 08, 2010 8:41 AM
> >>>>
> >>>>
> >>>> To: owasp-leaders at lists.owasp.org
> >>>>
> >>>> Subject: Re: [Owasp-leaders] Reaching developers = cooperative
> hackathons
> >>>>
> >>>>
> >>>> Does anyone else think starting a project to create a Top Ten list for
> Software Architects has merit? Since my past project of starting a
> certification resulted in a fail, I am game to try again and see if we can
> create a win…
> >>>>
> >>>>
> >>>> James McGovern
> >>>> Insurance SBU
> >>>>
> >>>> Virtusa Corporation
> >>>>
> >>>> 100 Northfield Drive, Suite 305 | Windsor, CT | 06095
> >>>>
> >>>> Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> OWASP-Leaders mailing list
> >>>> OWASP-Leaders at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> OWASP-Leaders mailing list
> >>>> OWASP-Leaders at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100911/ecdb63a0/attachment-0001.html 


More information about the OWASP-Leaders mailing list