[Owasp-leaders] [Owasp-community] OT10 Risks?

Eoin Keary eoin.keary at owasp.org
Mon Sep 22 00:59:51 UTC 2014


Hey,
I'm ok with the scriptkiddy comment. I was not aware our lists were the preserve for the "elite".

Anyways Rahim was not the first one to take the thread off point, that was Timur, I believe.
 
I just gave Rahim "a Wedgie" for such a remark.

Anyways you asked a question and got various responses. This is what the lists are for. 

<BackonTopic>
I don't think MITRE is the way to go and also any one person cant define what the top 10 actually covers. This takes discussion with the project leaders and wider community.
.





Eoin Keary
Owasp Global Board
+353 87 977 2988


On 21 Sep 2014, at 20:27, Jim Manico <jim.manico at owasp.org> wrote:

> Rahim,
> 
> I know you were kidding (Eoin is your boss, ey?) but I want to take a moment to point out our code of ethics...
> 
> https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics
> 
> ...especially:
> 
> Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers;
> Treat everyone with respect and dignity; 
> I have failed here in the past and do not intend to do so in the future. We have a very passionate and sensitive community. All leaders and members need to be aware of this, myself included. Especially me and other members of the board...
> Rahim, I know you are a man of respect. This topic has been a big issue at OWASP as of late and I am trying my best to take our code of ethics very seriously.
> Aloha Rahim, was great to see you at AppSec USA.
> - Jim
> 
> 
> 
> On 9/21/14, 8:18 PM, Rahim Jina wrote:
>> Dont try to sugar-coat it Jim
>> 
>> Eoin's a scriptkiddy through and through
>> 
>> Sent from my iPhone
>> 
>> On 21 Sep 2014, at 19:48, Jim Manico <jim.manico at owasp.org> wrote:
>> 
>>> This is no-one to blame for this but the entire industry, the problem is systemic and I'm not trying to pick on anyone in particular. I am just seeking clarity and I might very well be wrong!
>>> 
>>> So back to Eoin's example, I think the full description would be:
>>> 
>>> You exploited a vulnerability in a specific system using the attack pattern of SQL Injection. Apparently, there was a weakness in the system you were reviewing where query parametrization or other defenses were not in place.
>>> 
>>> Aloha,
>>> Jim
>>> 
>>> 
>>> On 9/21/14, 7:24 PM, Timur 'x' Khrotko (owasp) wrote:
>>>> Jim, I am absolutely with you! 
>>>> The AppSec is ruled by practitioners who does not care.)
>>>> 
>>>> Scriptkiddies take down systems with ascii strings and without knowing English.
>>>> 
>>>> There are software delivery contracts in the wild that refer to OT10 as a list of to avoid vulnerabilities - that is a problem, which in part grows from undefined appsec terms too.
>>>> 
>>>> 
>>>> On Mon, Sep 22, 2014 at 1:14 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>>>> So per Mitre...
>>>>> 
>>>>> You exploited a vulnerability in a specific system using the attack pattern of SQL Injection.
>>>>> 
>>>>> Per Mitre, a vulnerability is only specific to a system (hence CVE) and is not a general definition, per my understanding.
>>>>> 
>>>>> I know this is pedantic, but so is all nomenclature within complex systems. :)
>>>>> 
>>>>> So just for the record, I've seen SQL Injection called a Risk, a Vulnerability, a Attack Pattern and a Weakness in my Sunday readings. Our industry is NOT good at this right now. I'm trying to achieve clarity.
>>>>> 
>>>>> Aloha,
>>>>> - Jim
>>>>> 
>>>>> 
>>>>> On 9/21/14, 7:04 PM, Eoin Keary wrote:
>>>>>> Jim I've taken down entire financial systems via "or 11".
>>>>>> An attack pattern to a vulnerable system. A string of chars to a non vulnerable one.
>>>>>> 
>>>>>> I think we are drifting off the point here even though this is interesting.....
>>>>>> 
>>>>>> 
>>>>>> Eoin Keary
>>>>>> Owasp Global Board
>>>>>> +353 87 977 2988
>>>>>> 
>>>>>> 
>>>>>> On 21 Sep 2014, at 18:57, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>> 
>>>>>>> Attack patterns, per Mitre, are                                 ABSTRACT descriptions not specific to any product, service or application. Plus your example below is not exploitable in most situations, so I would say no on multiple levels.
>>>>>>> 
>>>>>>> Here is Mitre's description of SQL Injection as an attack pattern. https://capec.mitre.org/data/definitions/66.html
>>>>>>> 
>>>>>>> I am not saying that Mitre is correct, I am only (trying) to express their perspective here.
>>>>>>> 
>>>>>>> Aloha,
>>>>>>> - Jim
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On 9/21/14, 6:53 PM, Eoin Keary wrote:
>>>>>>>> Jim,
>>>>>>>> Is setting a username to "O'Brien" an attack pattern?
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Eoin Keary
>>>>>>>> Owasp Global Board
>>>>>>>> +353 87 977 2988
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 21 Sep 2014, at 17:41, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>>>> 
>>>>>>>>> > Attack patterns are only "attack" if there is a vuln? Otherwise they are only character strings? Just sayin
>>>>>>>>> 
>>>>>>>>> From what I am reading, Eoin, an attack pattern (per Mitre) is an ABSTRACT mechanism to describe how one would attack a vulnerable cyber-enabled system.
>>>>>>>>> 
>>>>>>>>> A vulnerability would be a weakness in a specific product or service.
>>>>>>>>> 
>>>>>>>>> This kind of makes sense to me. I've been reading a lot lately, and most folks mix these terms in various ways, hence my confusion. I get the impression that Mitre is doing this right, but I'm not 100% sure.
>>>>>>>>> 
>>>>>>>>> Aloha,
>>>>>>>>> Jim
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Eoin Keary
>>>>>>>>>> Owasp Global Board
>>>>>>>>>> +353 87 977 2988
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>>>>>> 
>>>>>>>>>>> Very interesting, Timur and Eoin. I might be reading this wrong, but it looks to me that SQL Injection per Mitre is an ....
>>>>>>>>>>> 
>>>>>>>>>>> ... attack pattern http://capec.mitre.org/data/definitions/66.html
>>>>>>>>>>> ... caused by the weakness of lack of neutralization of special characters http://cwe.mitre.org/data/definitions/89.html [1]
>>>>>>>>>>> ... that effects many products and services and makes them vulnerable http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>>>>>>>>>>> 
>>>>>>>>>>> So per Mitre, SQL Injection would NOT be a vulnerability, that is product specific (CVE). SQL Injection per Mitre seems to be an attack pattern.
>>>>>>>>>>> 
>>>>>>>>>>> Per Mitre: An "attack pattern" is an abstraction mechanism to assist in understanding how an attack against vulnerable cyber-enabled capabilities is executed.
>>>>>>>>>>> 
>>>>>>>>>>> So I'm thinking that the "classic" OWASP Top Ten is really a mix of attack patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, a6, a9).
>>>>>>>>>>> 
>>>>>>>>>>> •A1 Injection
>>>>>>>>>>> •A2 Broken Authentication and Session Management
>>>>>>>>>>> •A3 Cross-Site Scripting                                             (XSS)
>>>>>>>>>>> •A4 Insecure Direct Object References
>>>>>>>>>>> •A5 Security Misconfiguration
>>>>>>>>>>> •A6 Sensitive Data Exposure
>>>>>>>>>>> •A7 Missing Function Level Access Control
>>>>>>>>>>> •A8 Cross-Site Request                                             Forgery (CSRF)
>>>>>>>>>>> •A9 Using Components with Known Vulnerabilities
>>>>>>>>>>> •A10 Unvalidated Redirects and Forwards
>>>>>>>>>>> 
>>>>>>>>>>> And just to make this more confusing, Mitre declares that SQL Injection is a attack pattern as described above, but considers sql                                             injection through hibernate to be a weakness http://cwe.mitre.org/data/definitions/564.html which confuses the issue for me....
>>>>>>>>>>> 
>>>>>>>>>>> Aloha,
>>>>>>>>>>> Jim
>>>>>>>>>>> 
>>>>>>>>>>> [1] This is not so accurate (debatable) but that is besides the point. :) Query Parametrization does not neutralize special characters, it pre-compiles the query into a query plan that cannot be modified at query execution time. :)
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>>>>>>>>>>>> (vulnerability types, meta weaknesses)
>>>>>>>>>>>> 
>>>>>>>>>>>> We may take the MITRE approach in order not to invent parallel terminology.
>>>>>>>>>>>> 
>>>>>>>>>>>> https://cwe.mitre.org (weaknesses, vuln types, cca 700 elements)
>>>>>>>>>>>> https://cve.mitre.org  (vulnerabilities and exposures, thousands)
>>>>>>>>>>>> https://capec.mitre.org                                                   (attack patterns)
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> The top 41 SANS "Most Dangerous Software Errors"
>>>>>>>>>>>> https://cwe.mitre.org/top25/index.html
>>>>>>>>>>>> + 16
>>>>>>>>>>>> https://cwe.mitre.org/top25/archive/2011/2011_onthecusp.html
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>>>>>>>>>>> Risk != vuln
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Risk is defined as:
>>>>>>>>>>>>> "(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility."
>>>>>>>>>>>>> 
>>>>>>>>>>>>> The result of a weakness being leveraged and unwelcome outcomes.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Eoin Keary
>>>>>>>>>>>>> Owasp Global Board
>>>>>>>>>>>>> +353 87 977 2988
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> >> T10 lists does not                                                           accurately
>>>>>>>>>>>>> > reflect the most dangerous "risks" or                                                           that it would be better to name it
>>>>>>>>>>>>> > differently?
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > The commentary that I received was that the term "risk" did not
>>>>>>>>>>>>> > actually reflect the                                                           items on the lists. Folks have told me it should
>>>>>>>>>>>>> > be "vulnerabilities"                                                           or "attacks" or "weaknesses" and more.
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > I'm not sure what the right answer is here...
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > Aloha,
>>>>>>>>>>>>> > --
>>>>>>>>>>>>> > Jim Manico
>>>>>>>>>>>>> > @Manicode
>>>>>>>>>>>>> > (808) 652-3805
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> On Sep 21, 2014,                                                           at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> T10 lists does not                                                           accurately
>>>>>>>>>>>>> >> reflect the most dangerous "risks" or                                                           that it would be better to name it
>>>>>>>>>>>>> >> differently?
>>>>>>>>>>>>> > _______________________________________________
>>>>>>>>>>>>> > OWASP-Leaders mailing list
>>>>>>>>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>>>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> Email us to enforce secure link with your mail servers (domain).
>>>>>>>>>>>> This message may contain confidential information - you should handle it accordingly.
>>>>>>>>>>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>>>> 
>>>> 
>>>> Email us to enforce secure link with your mail servers (domain).
>>>> This message may contain confidential information - you should handle it accordingly.
>>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>>> _______________________________________________
>>> Owasp-community mailing list
>>> Owasp-community at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-community
> 
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/faad6f41/attachment-0001.html>


More information about the OWASP-Leaders mailing list