[Owasp-leaders] [Owasp-community] OT10 Risks?

Jim Manico jim.manico at owasp.org
Sun Sep 21 21:38:05 UTC 2014


So yea, per Mitre/CVE - a vulnerability is only specific to a product. 
So per Mitre, SQL Injection by itself is an attack pattern.

SQL Injection in a product like 
http://www.cvedetails.com/cve/CVE-2014-5440/ is a vulnerability in that 
product.

So the OWASP Top Ten is a list of attack patterns and weaknesses per 
Mitre from what I read.

Aloha,
Jim


On 9/21/14, 5:33 PM, Timur 'x' Khrotko (owasp) wrote:
> https://capec.mitre.org/about/glossary.html
>
> Cyber-Enabled Capability
> Weakness Type
> Weakness
> Negative Technical Impact
> Exploit
> Vulnerability
> Attack
> Attack Pattern
> Threat
> View
> Graph
> Explicit Slice
> Implicit Slice
> Category
> Meta Attack Pattern
> Standard Attack Pattern
> Detailed Attack Pattern
>
>
> On Sun, Sep 21, 2014 at 11:13 PM, Eoin Keary <eoin.keary at owasp.org 
> <mailto:eoin.keary at owasp.org>> wrote:
>
>
>     Xss is not a risk :)  Getting XSS'ed is if you are vulnerable.
>
>     It's a top 10 of most common vulns.
>     But if you actually did a top 10 (of common vulns)  the top 5
>     would be SSL and security header related and make for slow reading. :)
>
>
>     Eoin Keary
>     Owasp Global Board
>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>
>
>     On 21 Sep 2014, at 17:04, Eoin Keary <eoin.keary at owasp.org
>     <mailto:eoin.keary at owasp.org>> wrote:
>
>     > Risk != vuln
>     >
>     > Risk is defined as:
>     > "(Exposure to) the possibility of loss, injury, or other adverse
>     or unwelcome circumstance; a chance or situation involving such a
>     possibility."
>     >
>     > The result of a weakness being leveraged and unwelcome outcomes.
>     >
>     >
>     >
>     > Eoin Keary
>     > Owasp Global Board
>     > +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>     >
>     >
>     > On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org
>     <mailto:jim.manico at owasp.org>> wrote:
>     >
>     >>> T10 lists does not accurately
>     >> reflect the most dangerous "risks" or that it would be better
>     to name it
>     >> differently?
>     >>
>     >> The commentary that I received was that the term "risk" did not
>     >> actually reflect the items on the lists. Folks have told me it
>     should
>     >> be "vulnerabilities" or "attacks" or "weaknesses" and more.
>     >>
>     >> I'm not sure what the right answer is here...
>     >>
>     >> Aloha,
>     >> --
>     >> Jim Manico
>     >> @Manicode
>     >> (808) 652-3805
>     >>
>     >>> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org
>     <mailto:tobias.gondrom at owasp.org>> wrote:
>     >>>
>     >>> T10 lists does not accurately
>     >>> reflect the most dangerous "risks" or that it would be better
>     to name it
>     >>> differently?
>     >> _______________________________________________
>     >> OWASP-Leaders mailing list
>     >> OWASP-Leaders at lists.owasp.org
>     <mailto:OWASP-Leaders at lists.owasp.org>
>     >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     > _______________________________________________
>     > Owasp-community mailing list
>     > Owasp-community at lists.owasp.org
>     <mailto:Owasp-community at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-community
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle 
> it accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/e62e35da/attachment-0001.html>


More information about the OWASP-Leaders mailing list