[Owasp-leaders] OWASP Top 10 Methodology

Dennis Groves dennis.groves at owasp.org
Tue Mar 5 20:04:40 UTC 2013


On 5 Mar 2013, at 19:40, Paweł Krawczyk wrote:

> On 5/3/2013 at 7:16 PM, "Dennis Groves"  wrote:
> But we have never been able to predict if any **specific individual**
> will purchase the banana.
>
> I'm not sure if these analogies will take us anywhere useful. I think
> at the maturity level of our industry it's already extremely useful to
> know that apps having feature Y are more frequently hacked than Z.

I agree, but this is correlation not causation.

For example: Say that we find 50k SQLi in our data corpus, and that this 
number makes SQLi the number one issue in our data sets; as so we make 
it the #1 issue in the new OWASP Top 10.

Lets further assume that I am using a SQL database in my application and 
that my application is vulnerable to SQLi. We know that having a SQLi 
correlates to getting hacked via SQLi but we actually do not know that 
any given attacker will use that particular attack vector in my case.

It all depends. Maybe the attacker wants to steal from me, in that case 
perhaps the attacker would not do something so obvious because he fears 
it will be detected and cut him off from his income. Maybe the attacker 
wants to deface my website; and SQLi will not help him reach that goal.

All I am saying is that this is not a metric. We can not **measure** the 
likelihood that I will be attacked via SQLi because we can not predict 
**if** let alone **how** I will be hacked.

All we have is correlation, and we know that this correlation puts me at 
much greater risk.

**I am in agreement with you, I think we have the data (and plenty of 
it) and the talent to do science, but I think right now we are doing 
more astrology than astronomy.**


Dennis

-- 
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 
meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 
software](http://www.fsf.org/campaigns/secure-boot/statement).

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/3b37e28c/attachment.html>


More information about the OWASP-Leaders mailing list