[Owasp-leaders] [Owasp-community] OT10 Risks?

Jim Manico jim.manico at owasp.org
Mon Sep 22 00:27:56 UTC 2014


Rahim,

I know you were kidding (Eoin is your boss, ey?) but I want to take a 
moment to point out our code of ethics...

https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics

...especially:

  * Not intentionally injure or impugn the professional reputation of
    practice of colleagues, clients, or employers;
  * Treat everyone with respect and dignity;

I have _*failed here in the past and do not intend to do so in the 
future*_. We have a very passionate and sensitive community. All leaders 
and members need to be aware of this, myself included. Especially me and 
other members of the board...

Rahim, I know you are a man of respect. This topic has been a big issue 
at OWASP as of late and I am trying my best to take our code of ethics 
very seriously.

Aloha Rahim, was great to see you at AppSec USA.

- Jim



On 9/21/14, 8:18 PM, Rahim Jina wrote:
> Dont try to sugar-coat it Jim
>
> Eoin's a scriptkiddy through and through
>
> Sent from my iPhone
>
> On 21 Sep 2014, at 19:48, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>> This is no-one to blame for this but the entire industry, the problem 
>> is systemic and I'm not trying to pick on anyone in particular. I am 
>> just seeking clarity and I might very well be wrong!
>>
>> So back to Eoin's example, I think the full description would be:
>>
>> You /*exploited*/ a /*vulnerability*//*in a specific system*/ using 
>> the /*attack pattern of SQL Injection*/. Apparently, there was a 
>> *weakness* in the system you were reviewing where query 
>> parametrization or other defenses were not in place.
>>
>> Aloha,
>> Jim
>>
>>
>> On 9/21/14, 7:24 PM, Timur 'x' Khrotko (owasp) wrote:
>>> Jim, I am absolutely with you!
>>> The AppSec is ruled by practitioners who does not care.)
>>>
>>> Scriptkiddies take down systems with ascii strings and without 
>>> knowing English.
>>>
>>> There are software delivery contracts in the wild that refer to OT10 
>>> as a list of to avoid vulnerabilities - that is a problem, which in 
>>> part grows from undefined appsec terms too.
>>>
>>>
>>> On Mon, Sep 22, 2014 at 1:14 AM, Jim Manico <jim.manico at owasp.org 
>>> <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>     So per Mitre...
>>>
>>>     You /*exploited*/ a /*vulnerability*//*in a specific system*/
>>>     using the /*attack pattern of SQL Injection*/.
>>>
>>>     Per Mitre, a vulnerability is only specific to a system (hence
>>>     CVE) and is not a general definition, per my understanding.
>>>
>>>     I know this is pedantic, but so is all nomenclature within
>>>     complex systems. :)
>>>
>>>     So just for the record, I've seen SQL Injection called a Risk, a
>>>     Vulnerability, a Attack Pattern and a Weakness in my Sunday
>>>     readings. Our industry is NOT good at this right now. I'm trying
>>>     to achieve clarity.
>>>
>>>     Aloha,
>>>     - Jim
>>>
>>>
>>>     On 9/21/14, 7:04 PM, Eoin Keary wrote:
>>>>     Jim I've taken down entire financial systems via "or 11".
>>>>     An attack pattern to a vulnerable system. A string of chars to
>>>>     a non vulnerable one.
>>>>
>>>>     I think we are drifting off the point here even though this is
>>>>     interesting.....
>>>>
>>>>
>>>>     Eoin Keary
>>>>     Owasp Global Board
>>>>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>>
>>>>
>>>>     On 21 Sep 2014, at 18:57, Jim Manico <jim.manico at owasp.org
>>>>     <mailto:jim.manico at owasp.org>> wrote:
>>>>
>>>>>     Attack patterns, per Mitre, are ABSTRACT descriptions not
>>>>>     specific to any product, service or application. Plus your
>>>>>     example below is not exploitable in most situations, so I
>>>>>     would say no on multiple levels.
>>>>>
>>>>>     Here is Mitre's description of SQL Injection as an attack
>>>>>     pattern. https://capec.mitre.org/data/definitions/66.html
>>>>>
>>>>>     I am not saying that Mitre is correct, I am only (trying) to
>>>>>     express their perspective here.
>>>>>
>>>>>     Aloha,
>>>>>     - Jim
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>     On 9/21/14, 6:53 PM, Eoin Keary wrote:
>>>>>>     Jim,
>>>>>>     Is setting a username to "O'Brien" an attack pattern?
>>>>>>
>>>>>>
>>>>>>     Eoin Keary
>>>>>>     Owasp Global Board
>>>>>>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>>>>
>>>>>>
>>>>>>     On 21 Sep 2014, at 17:41, Jim Manico <jim.manico at owasp.org
>>>>>>     <mailto:jim.manico at owasp.org>> wrote:
>>>>>>
>>>>>>>     > Attack patterns are only "attack" if there is a vuln?
>>>>>>>     Otherwise they are only character strings? Just sayin
>>>>>>>
>>>>>>>     From what I am reading, Eoin, an attack pattern (per Mitre)
>>>>>>>     is an ABSTRACT mechanism to describe how one would attack a
>>>>>>>     vulnerable cyber-enabled system.
>>>>>>>
>>>>>>>     A vulnerability would be a weakness in a specific product or
>>>>>>>     service.
>>>>>>>
>>>>>>>     This kind of makes sense to me. I've been reading a lot
>>>>>>>     lately, and most folks mix these terms in various ways,
>>>>>>>     hence my confusion. I get the impression that Mitre is doing
>>>>>>>     this right, but I'm not 100% sure.
>>>>>>>
>>>>>>>     Aloha,
>>>>>>>     Jim
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>     Eoin Keary
>>>>>>>>     Owasp Global Board
>>>>>>>>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>>>>>>
>>>>>>>>
>>>>>>>>     On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org
>>>>>>>>     <mailto:jim.manico at owasp.org>> wrote:
>>>>>>>>
>>>>>>>>>     Very interesting, Timur and Eoin. I might be reading this
>>>>>>>>>     wrong, but it looks to me that SQL Injection per Mitre is
>>>>>>>>>     an ....
>>>>>>>>>
>>>>>>>>>     ... *attack pattern*
>>>>>>>>>     http://capec.mitre.org/data/definitions/66.html
>>>>>>>>>     ... caused by the *weakness* of lack of neutralization of
>>>>>>>>>     special characters
>>>>>>>>>     http://cwe.mitre.org/data/definitions/89.html *[1]*
>>>>>>>>>     ... that *effects many products and services and makes
>>>>>>>>>     them vulnerable*
>>>>>>>>>     http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>>>>>>>>>
>>>>>>>>>     So per Mitre, SQL Injection would NOT be a vulnerability,
>>>>>>>>>     that is product specific (CVE). SQL Injection per Mitre
>>>>>>>>>     seems to be an attack pattern.
>>>>>>>>>
>>>>>>>>>     Per Mitre: An "attack pattern" is an abstraction mechanism
>>>>>>>>>     to assist in understanding how an attack against
>>>>>>>>>     vulnerable cyber-enabled capabilities is executed.
>>>>>>>>>
>>>>>>>>>     So I'm thinking that the "classic" OWASP Top Ten is really
>>>>>>>>>     a mix of attack patterns (a1, a3, a8, a10) and weaknesses
>>>>>>>>>     (a2, a4, a5, a6, a6, a9).
>>>>>>>>>
>>>>>>>>>     •A1 Injection
>>>>>>>>>     •A2 Broken Authentication and Session Management
>>>>>>>>>     •A3 Cross-Site Scripting (XSS)
>>>>>>>>>     •A4 Insecure Direct Object References
>>>>>>>>>     •A5 Security Misconfiguration
>>>>>>>>>     •A6 Sensitive Data Exposure
>>>>>>>>>     •A7 Missing Function Level Access Control
>>>>>>>>>     •A8 Cross-Site Request Forgery (CSRF)
>>>>>>>>>     •A9 Using Components with Known Vulnerabilities
>>>>>>>>>     •A10 Unvalidated Redirects and Forwards
>>>>>>>>>
>>>>>>>>>     And just to make this more confusing, Mitre declares that
>>>>>>>>>     SQL Injection is a attack pattern as described above, but
>>>>>>>>>     considers sql injection through hibernate to be a weakness
>>>>>>>>>     http://cwe.mitre.org/data/definitions/564.html which
>>>>>>>>>     confuses the issue for me....
>>>>>>>>>
>>>>>>>>>     Aloha,
>>>>>>>>>     Jim
>>>>>>>>>
>>>>>>>>>     [1] This is not so accurate (debatable) but that is
>>>>>>>>>     besides the point. :) Query Parametrization does not
>>>>>>>>>     neutralize special characters, it pre-compiles the query
>>>>>>>>>     into a query plan that cannot be modified at query
>>>>>>>>>     execution time. :)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>     On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>>>>>>>>>>     (vulnerability types, meta weaknesses)
>>>>>>>>>>
>>>>>>>>>>     We may take the MITRE approach in order not to invent
>>>>>>>>>>     parallel terminology.
>>>>>>>>>>
>>>>>>>>>>     https://cwe.mitre.org <http://mitre.org> (weaknesses,
>>>>>>>>>>     vuln types, cca 700 elements)
>>>>>>>>>>     https://cve.mitre.org <http://mitre.org>
>>>>>>>>>>      (vulnerabilities and exposures, thousands)
>>>>>>>>>>     https://capec.mitre.org <http://mitre.org> (attack patterns)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>     The top 41 SANS "Most Dangerous Software Errors"
>>>>>>>>>>     https://cwe.mitre.org/top25/index.html
>>>>>>>>>>     <http://mitre.org/top25/index.html>
>>>>>>>>>>     + 16
>>>>>>>>>>     https://cwe.mitre.org/top25/archive/2011/2011_
>>>>>>>>>>     <http://mitre.org/top25/archive/2011/2011_>onthecusp.html
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>     On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary
>>>>>>>>>>     <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
>>>>>>>>>>
>>>>>>>>>>         Risk != vuln
>>>>>>>>>>
>>>>>>>>>>         Risk is defined as:
>>>>>>>>>>         "(Exposure to) the possibility of loss, injury, or
>>>>>>>>>>         other adverse or unwelcome circumstance; a chance or
>>>>>>>>>>         situation involving such a possibility."
>>>>>>>>>>
>>>>>>>>>>         The result of a weakness being leveraged and
>>>>>>>>>>         unwelcome outcomes.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>         Eoin Keary
>>>>>>>>>>         Owasp Global Board
>>>>>>>>>>         +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>         On 21 Sep 2014, at 16:53, Jim Manico
>>>>>>>>>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
>>>>>>>>>>         wrote:
>>>>>>>>>>
>>>>>>>>>>         >> T10 lists does not accurately
>>>>>>>>>>         > reflect the most dangerous "risks" or that it would
>>>>>>>>>>         be better to name it
>>>>>>>>>>         > differently?
>>>>>>>>>>         >
>>>>>>>>>>         > The commentary that I received was that the term
>>>>>>>>>>         "risk" did not
>>>>>>>>>>         > actually reflect the items on the lists. Folks have
>>>>>>>>>>         told me it should
>>>>>>>>>>         > be "vulnerabilities" or "attacks" or "weaknesses"
>>>>>>>>>>         and more.
>>>>>>>>>>         >
>>>>>>>>>>         > I'm not sure what the right answer is here...
>>>>>>>>>>         >
>>>>>>>>>>         > Aloha,
>>>>>>>>>>         > --
>>>>>>>>>>         > Jim Manico
>>>>>>>>>>         > @Manicode
>>>>>>>>>>         > (808) 652-3805
>>>>>>>>>>         >
>>>>>>>>>>         >> On Sep 21, 2014, at 4:50 PM, Tobias
>>>>>>>>>>         <tobias.gondrom at owasp.org
>>>>>>>>>>         <mailto:tobias.gondrom at owasp.org>> wrote:
>>>>>>>>>>         >>
>>>>>>>>>>         >> T10 lists does not accurately
>>>>>>>>>>         >> reflect the most dangerous "risks" or that it
>>>>>>>>>>         would be better to name it
>>>>>>>>>>         >> differently?
>>>>>>>>>>         > _______________________________________________
>>>>>>>>>>         > OWASP-Leaders mailing list
>>>>>>>>>>         > OWASP-Leaders at lists.owasp.org
>>>>>>>>>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>>>>         > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>         _______________________________________________
>>>>>>>>>>         OWASP-Leaders mailing list
>>>>>>>>>>         OWASP-Leaders at lists.owasp.org
>>>>>>>>>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>>>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>     Email us to enforce secure link with your mail servers
>>>>>>>>>>     (domain).
>>>>>>>>>>     This message may contain confidential information - you
>>>>>>>>>>     should handle it accordingly.
>>>>>>>>>>     Ez a levél bizalmas információt tartalmazhat, és ekként
>>>>>>>>>>     kezelendő. 
>>>>>>>>>
>>>>>>>
>>>>>
>>>
>>>
>>>
>>> Email us to enforce secure link with your mail servers (domain).
>>> This message may contain confidential information - you should 
>>> handle it accordingly.
>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő. 
>>
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org <mailto:Owasp-community at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-community

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/8126ffcd/attachment-0001.html>


More information about the OWASP-Leaders mailing list