[Owasp-leaders] OWASP Top 10 Methodology
dennis.groves at owasp.org
Tue Mar 5 20:04:40 UTC 2013
On 5 Mar 2013, at 19:40, Paweł Krawczyk wrote:
> On 5/3/2013 at 7:16 PM, "Dennis Groves" wrote:
> But we have never been able to predict if any **specific individual**
> will purchase the banana.
> I'm not sure if these analogies will take us anywhere useful. I think
> at the maturity level of our industry it's already extremely useful to
> know that apps having feature Y are more frequently hacked than Z.
I agree, but this is correlation not causation.
For example: Say that we find 50k SQLi in our data corpus, and that this
number makes SQLi the number one issue in our data sets; as so we make
it the #1 issue in the new OWASP Top 10.
Lets further assume that I am using a SQL database in my application and
that my application is vulnerable to SQLi. We know that having a SQLi
correlates to getting hacked via SQLi but we actually do not know that
any given attacker will use that particular attack vector in my case.
It all depends. Maybe the attacker wants to steal from me, in that case
perhaps the attacker would not do something so obvious because he fears
it will be detected and cut him off from his income. Maybe the attacker
wants to deface my website; and SQLi will not help him reach that goal.
All I am saying is that this is not a metric. We can not **measure** the
likelihood that I will be attacked via SQLi because we can not predict
**if** let alone **how** I will be hacked.
All we have is correlation, and we know that this correlation puts me at
much greater risk.
**I am in agreement with you, I think we have the data (and plenty of
it) and the talent to do science, but I think right now we are doing
more astrology than astronomy.**
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a
*This email is licensed under a [CC BY-ND
**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free
> The idea that some lives matter less is the root of all that’s wrong
> with the world. -- Paul Farmer
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders