[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

Dennis Groves dennis.groves at owasp.org
Thu Mar 14 19:56:40 UTC 2013

On 14 Mar 2013, at 19:04, Ryan Barnett wrote:

> Dave,
> I agree with all of your points.  Determining the estimated Risk level 
> for
> DDoS is challenging, especially when you consider the org's vertical 
> market.
> As you referenced in your BankInfoSecurity story, Finance verticals 
> are
> being targeted as part of a multi-pronged attack where DDoS are used 
> as a
> smoke-screen for AHC transfers.  The attacker us a combination of 
> Banking
> Trojans client-side with C&C to IRC botnets which can launch DDoS 
> floods.
> So the impact of the website downtime will be removed once the attack 
> stops,
> however the end results is that funds were also stolen.
> I will get with Pawel and see if we can put together a Risk rating
> estimation for consideration.

Realistically speaking risk of a bot-net DDoS from anybody with $500 to 
put behind their revenge for a bank stealing their house and then 
getting a government bailout for the same; vs. an attacker finding an 
application level DOS via a non terminating regex or account lockout for 
to many wrong passwords is night and day.

I don't see how Application DOS could possibly be in the Top 10.


[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer

More information about the OWASP-Leaders mailing list