[Owasp-leaders] OWASP Top 10 2012

Chris Schmidt chris.schmidt at owasp.org
Fri Oct 7 10:54:11 EDT 2011


I agree with you to an extent Dave. However, I think there are some
distinct ordering differences between the languages as well. For
instance, it is pretty rare that I have seen Remote/Local File Inclusion
bugs in Java or .Net apps, where they are found in PHP apps quite a bit
for frequently. I would say the same even about SQL Injection except
that I think I have seen a good deal more in .Net and PHP than in Java.
While there will definately be quite a bit of crossover between the
overall top 10 and the language top 10s I believe that there are enough
differences in order and risk associated with the issues to warrant more
granular documents to compliment the master top 10. I also believe there
should be cohesiveness between these documents however. For instance, I
may be looking at SQL Injection for .Net and think to myself, I wonder
if my org also has this same issue in our Java or .Net applications.

I think there is value in doing this - if nothing else I think there is
some research/metrics value in the discovery process, even if the
outcome of that discovery process indicates that separation is not worth
the effort investment.

I believe that I have seen some numbers out of the whitehat crew that
could provide some initial insight into the intersections and pieces
across different languages and frameworks.

On 10/7/2011 8:44 AM, Erwin Geirnaert wrote:
> Hi Dave,
>
> That's what I did with the OWASP Top 10 for JEE 2007 where I only
> described the issue for JEE and the necessary countermeasures.
> But the Top 10 used was the general one, and not specific for Java so
> for example you have the concept of malicious file execution where you
> include PHP file from a malicious origin in a parameter and that
> doesn't apply to Java or .NET
>
> Discussing with a Java hardcore developer that Spring Security is not
> really a solution for the OWASP Top 10 is a difficult job :)
>
> Best regards,
>
> Erwin
>
> Van: Dave Wichers <dave.wichers at owasp.org <mailto:dave.wichers at owasp.org>>
> Datum: Fri, 7 Oct 2011 07:39:07 -0700
> Aan: 'Venkatesh Jagannathan' <venki at owasp.org
> <mailto:venki at owasp.org>>, Erwin Geirnaert
> <erwin.geirnaert at zionsecurity.com
> <mailto:erwin.geirnaert at zionsecurity.com>>
> CC: "owasp-leaders at lists.owasp.org
> <mailto:owasp-leaders at lists.owasp.org>" <owasp-leaders at lists.owasp.org
> <mailto:owasp-leaders at lists.owasp.org>>
> Onderwerp: RE: [Owasp-leaders] OWASP Top 10 2012
>
> I agree with Venkatesh here. I actually think .NET is MORE secure than
> Java in many respects. However, I think because Microsoft actually
> tried to build some security into .NET in certain areas, like
> automatic XSS defenses, they shot themselves in the foot to some
> degree because they provided .Net developers with a false sense of
> security in that area. Since their anti-XSS mechanism wasn't actually
> bullet proof, it actually ended up causing .NET apps to have MORE XSS
> vulns than Java apps on average. However, the .NET developers got this
> 'benefit' for free, i.e., they didn't have to do anything to get to
> their level of XSS vulns, but the Java developers had to work really
> hard to actually get their XSS vuln count down because Java had no
> built in anti-XSS defenses. If you built the same App in both Java and
> .NET and the developers didn't specifically try to stop XSS vulns, the
> .NET app would actually have far less XSS than the Java one.
>
>  
>
> I'm not a PHP expert so I can't comment there.
>
>  
>
> Rather than having a 'different' Top 10 for each language, I think it
> WOULD be really cool to have a document like, How to address the OWASP
> Top 10 in Java/.NET/PHP, etc. Then the docs would be aligned with each
> other, rather than out of sync/different order/etc., which would be
> very confusing. However, if I was a developer for language X, and
> there was a Top 10 for that language, that would be very helpful for
> me, and not confusing since it covers the same stuff as the 'standard'
> Top 10.
>
>  
>
> What do you think about this variant on your idea?
>
>  
>
> -Dave
>
>  
>
> *From:*owasp-leaders-bounces at lists.owasp.org
> <mailto:owasp-leaders-bounces at lists.owasp.org>
> [mailto:owasp-leaders-bounces at lists.owasp.org] *On Behalf Of
> *Venkatesh Jagannathan
> *Sent:* Friday, October 07, 2011 10:29 AM
> *To:* Erwin Geirnaert
> *Cc:* owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>
> *Subject:* Re: [Owasp-leaders] OWASP Top 10 2012
>
>  
>
> Hi Erwin,
>
>     I slightly disagree here. Whatever issue is present in .NET, the
> same can be replated very much in Java. When I give trainning on
> writing secure code, based on top 10, i provide samples on both .net &
> java way.
>
> To me, creating a seperate material for java/.net would at some point
> in time end up in too many "issuelets" that are language specific and
> dilute the concept of OWASP top 10.
>
>  
>
> I think the way we should address this is: Provide examples in all
> languages would make more sense than creating one for each language :)
>
>  
>
> Thanks & Regards,
>
> ~Venki
>
> On Fri, Oct 7, 2011 at 7:47 PM, Erwin Geirnaert
> <erwin.geirnaert at zionsecurity.com
> <mailto:erwin.geirnaert at zionsecurity.com>> wrote:
>
> Hi list,
>
>  
>
> During some discussions this week with Java developers while giving a
> security training I got the following remark: "why are there so many
> ASP.NET/PHP <http://asp.net/PHP> issues in the OWASP Top 10, is Java
> more secure"?
>
>  
>
> So what I propose is to create a specific OWASP Top 10 for different
> technologies: Microsoft, Java, PHP and we can still have one global
> Top 10.
>
> Ofcourse based on the CVE database but it will be more clear for the
> developers and I think that the OWASP Top 10 for Java will be very
> different than OWASP Top 10 for PHP.
>
>  
>
> Best regards,
>
>  
>
> Erwin
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>  
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111007/1b43753f/attachment-0001.html 


More information about the OWASP-Leaders mailing list