[Owasp-leaders] [Owasp-community] OT10 Risks?

Timur 'x' Khrotko (owasp) timur at owasp.org
Sun Sep 21 21:57:02 UTC 2014


I also would be glad to hear professional criticism regarding the MITRE
definitions. My understanding is that MITRE projects use the terms
according to their own practical context and mission, hence their use of
terms is not harmonized neither. See "This page defines specific terms used
throughout CAPEC."
(Probably NIST is to come up with an appsec taxonomy as appsec MITRE
projects seems to tend to migrate there.)

On Sun, Sep 21, 2014 at 11:41 PM, Jim Manico <jim.manico at owasp.org> wrote:

>  > Attack patterns are only "attack" if there is a vuln? Otherwise they
> are only character strings? Just sayin
>
> From what I am reading, Eoin, an attack pattern (per Mitre) is an ABSTRACT
> mechanism to describe how one would attack a vulnerable cyber-enabled
> system.
>
> A vulnerability would be a weakness in a specific product or service.
>
> This kind of makes sense to me. I've been reading a lot lately, and most
> folks mix these terms in various ways, hence my confusion. I get the
> impression that Mitre is doing this right, but I'm not 100% sure.
>
> Aloha,
> Jim
>
>
>
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org> wrote:
>
>   Very interesting, Timur and Eoin. I might be reading this wrong, but it
> looks to me that SQL Injection per Mitre is an ....
>
> ... *attack pattern* http://capec.mitre.org/data/definitions/66.html
> ... caused by the *weakness* of lack of neutralization of special
> characters http://cwe.mitre.org/data/definitions/89.html *[1]*
> ... that *effects many products and services and makes them vulnerable*
> http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>
> So per Mitre, SQL Injection would NOT be a vulnerability, that is product
> specific (CVE). SQL Injection per Mitre seems to be an attack pattern.
>
> Per Mitre: An "attack pattern" is an abstraction mechanism to assist in
> understanding how an attack against vulnerable cyber-enabled capabilities
> is executed.
>
> So I'm thinking that the "classic" OWASP Top Ten is really a mix of attack
> patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, a6, a9).
>
> •A1 Injection
> •A2 Broken Authentication and Session Management
> •A3 Cross-Site Scripting (XSS)
> •A4 Insecure Direct Object References
> •A5 Security Misconfiguration
> •A6 Sensitive Data Exposure
> •A7 Missing Function Level Access Control
> •A8 Cross-Site Request Forgery (CSRF)
> •A9 Using Components with Known Vulnerabilities
> •A10 Unvalidated Redirects and Forwards
>
> And just to make this more confusing, Mitre declares that SQL Injection is
> a attack pattern as described above, but considers sql injection through
> hibernate to be a weakness http://cwe.mitre.org/data/definitions/564.html
> which confuses the issue for me....
>
> Aloha,
> Jim
>
> [1] This is not so accurate (debatable) but that is besides the point. :)
> Query Parametrization does not neutralize special characters, it
> pre-compiles the query into a query plan that cannot be modified at query
> execution time. :)
>
>
>
> On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>
>  (vulnerability types, meta weaknesses)
>
>  We may take the MITRE approach in order not to invent parallel
> terminology.
>
>  https://cwe.mitre.org (weaknesses, vuln types, cca 700 elements)
> https://cve.mitre.org  (vulnerabilities and exposures, thousands)
> https://capec.mitre.org (attack patterns)
>
>
>  The top 41 SANS "Most Dangerous Software Errors"
> https://cwe.mitre.org/top25/index.html
> + 16
> https://cwe.mitre.org/top25/archive/2011/2011_onthecusp.html
>
>
>   On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org>
> wrote:
>
>> Risk != vuln
>>
>> Risk is defined as:
>> "(Exposure to) the possibility of loss, injury, or other adverse or
>> unwelcome circumstance; a chance or situation involving such a possibility."
>>
>> The result of a weakness being leveraged and unwelcome outcomes.
>>
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>
>> >> T10 lists does not accurately
>> > reflect the most dangerous "risks" or that it would be better to name it
>> > differently?
>> >
>> > The commentary that I received was that the term "risk" did not
>> > actually reflect the items on the lists. Folks have told me it should
>> > be "vulnerabilities" or "attacks" or "weaknesses" and more.
>> >
>> > I'm not sure what the right answer is here...
>> >
>> > Aloha,
>> > --
>> > Jim Manico
>> > @Manicode
>> > (808) 652-3805
>> >
>> >> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>> >>
>> >> T10 lists does not accurately
>> >> reflect the most dangerous "risks" or that it would be better to name
>> it
>> >> differently?
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle it
> accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>
>
>
>

-- 
Email us to enforce secure link with your mail servers (domain).
This message may contain confidential information - you should handle it 
accordingly.
Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/982dacb3/attachment-0001.html>


More information about the OWASP-Leaders mailing list