[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

Fri Mar 15 02:09:55 UTC 2013

On 15 Mar 2013, at 2:55, Daniel Clemens wrote:

> On Mar 14, 2013, at 4:11 PM, Ryan Barnett wrote:
>
>> Many of the DDoS tools include app layer attack options with:
>>
>> 1) GET/POST flooding
>> 2) Slow Requests
>> 3) Web Server platform vuln (like the Apache Range header vuln)
>>
>> These are applicable to a large number of sites.
>
> Um, ok, but these are tools to exhaust resources. OWASP != top ten 
> threats, it is top 10-application threats.
> If there was a top-10 architecture and design flaws and or associated 
> tools to stress test and be used by minions then yeah these type of 
> attacks would be on that list.
> Heck there is even some Slowloris code bundled into some of the OWASP 
> testing tools anyway. (/search Content-length:42)
>
> And..... in the same vein one could argue that all web clients have a 
> full turing engine available to be driven by javascript as well. I 
> don't see anyone logically wanting to propose that be on a top-10 
> threat even though it should likely be a top 1 threat but hey, now im 
> just arguing.

+1 Daniel

Hell you have another turing complete engine in CSS (oh yeah - think 
about it… those bugs haven even been fuzzed yet). But everybody also 
knows that java running *anywhere* is the greatest threat of all - Just 
saying….

Dennis

-- 
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 
meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 
software](http://www.fsf.org/campaigns/secure-boot/statement).

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer