[Owasp-leaders] OWASP Top 10 Methodology

Mat Caughron caughron at gmail.com
Tue Mar 5 20:10:21 UTC 2013


Sad, but true Dennis.

Hmmmm...  Looking for some upside here... wait for it...

New job title?  Infosec Astrologer!

On Mar 5, 2013 12:06 PM, "Dennis Groves" <dennis.groves at owasp.org> wrote:

> On 5 Mar 2013, at 19:40, Paweł Krawczyk wrote:
> On 5/3/2013 at 7:16 PM, "Dennis Groves" wrote:
> But we have never been able to predict if any *specific individual*
> will purchase the banana.
> I'm not sure if these analogies will take us anywhere useful. I think
> at the maturity level of our industry it's already extremely useful to
> know that apps having feature Y are more frequently hacked than Z.
> I agree, but this is correlation not causation.
> For example: Say that we find 50k SQLi in our data corpus, and that this
> number makes SQLi the number one issue in our data sets; as so we make it
> the #1 issue in the new OWASP Top 10.
> Lets further assume that I am using a SQL database in my application and
> that my application is vulnerable to SQLi. We know that having a SQLi
> correlates to getting hacked via SQLi but we actually do not know that any
> given attacker will use that particular attack vector in my case.
> It all depends. Maybe the attacker wants to steal from me, in that case
> perhaps the attacker would not do something so obvious because he fears it
> will be detected and cut him off from his income. Maybe the attacker wants
> to deface my website; and SQLi will not help him reach that goal.
> All I am saying is that this is not a metric. We can not *measure* the
> likelihood that I will be attacked via SQLi because we can not predict *if
> * let alone *how* I will be hacked.
> All we have is correlation, and we know that this correlation puts me at
> much greater risk.
> *I am in agreement with you, I think we have the data (and plenty of it)
> and the talent to do science, but I think right now we are doing more
> astrology than astronomy.*
> Dennis
> ------------------------------
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
> .
> *This email is licensed under a CC BY-ND 3.0<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>license.
> *
> *Please do not send me Microsoft Office/Apple iWork documents.*
> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
> Stand up for your freedom to install free software<http://www.fsf.org/campaigns/secure-boot/statement>
> .
> The idea that some lives matter less is the root of all that’s wrong with
> the world. -- Paul Farmer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/48318967/attachment.html>

More information about the OWASP-Leaders mailing list