[Owasp-leaders] [Owasp-community] OT10 Risks?

Timur 'x' Khrotko (owasp) timur at owasp.org
Mon Sep 22 02:12:41 UTC 2014


(Eoin, I am sorry, that my comment was taken personal in that way.
Yes, I was extending your point, which in my interpretation was against
dwelling on the taxanomy here - correct me if I was wrong.)

Case of scriptkiddies refers to attacks that can be performed w/o
understanding the taxanomy and other concepts.
Whereas lack of clear concepts on the defenders' (buyers') side leads to
serious appsec failures.
The seemingly widespread misuse of OT10 is a huge failure, which is
obviously related to misconceptions regarding what kind of 10 things is it
about.

So in my understanding the point of this thread is to renegotiate our use
of words.
Is there any better definition base than that of MITRE?


On Mon, Sep 22, 2014 at 2:59 AM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Hey,
> I'm ok with the scriptkiddy comment. I was not aware our lists were the
> preserve for the "elite".
>
> Anyways Rahim was not the first one to take the thread off point, that was
> Timur, I believe.
>
> I just gave Rahim "a Wedgie" for such a remark.
>
> Anyways you asked a question and got various responses. This is what the
> lists are for.
>
> <BackonTopic>
> I don't think MITRE is the way to go and also any one person cant define
> what the top 10 actually covers. This takes discussion with the project
> leaders and wider community.
> .
>
>
>
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 21 Sep 2014, at 20:27, Jim Manico <jim.manico at owasp.org> wrote:
>
> Rahim,
>
> I know you were kidding (Eoin is your boss, ey?) but I want to take a
> moment to point out our code of ethics...
>
>
> https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics
>
> ...especially:
>
>
>    - Not intentionally injure or impugn the professional reputation of
>    practice of colleagues, clients, or employers;
>    - Treat everyone with respect and dignity;
>
> I have *failed here in the past and do not intend to do so in the future*.
> We have a very passionate and sensitive community. All leaders and members
> need to be aware of this, myself included. Especially me and other members
> of the board...
>
> Rahim, I know you are a man of respect. This topic has been a big issue at
> OWASP as of late and I am trying my best to take our code of ethics very
> seriously.
>
> Aloha Rahim, was great to see you at AppSec USA.
>
> - Jim
>
>
>
> On 9/21/14, 8:18 PM, Rahim Jina wrote:
>
> Dont try to sugar-coat it Jim
>
>  Eoin's a scriptkiddy through and through
>
> Sent from my iPhone
>
> On 21 Sep 2014, at 19:48, Jim Manico <jim.manico at owasp.org> wrote:
>
>   This is no-one to blame for this but the entire industry, the problem
> is systemic and I'm not trying to pick on anyone in particular. I am just
> seeking clarity and I might very well be wrong!
>
> So back to Eoin's example, I think the full description would be:
>
> You *exploited* a *vulnerability** in a specific system* using the *attack
> pattern of SQL Injection*. Apparently, there was a *weakness* in the
> system you were reviewing where query parametrization or other defenses
> were not in place.
>
> Aloha,
> Jim
>
>
> On 9/21/14, 7:24 PM, Timur 'x' Khrotko (owasp) wrote:
>
> Jim, I am absolutely with you!
> The AppSec is ruled by practitioners who does not care.)
>
>  Scriptkiddies take down systems with ascii strings and without knowing
> English.
>
>  There are software delivery contracts in the wild that refer to OT10 as
> a list of to avoid vulnerabilities - that is a problem, which in part grows
> from undefined appsec terms too.
>
>
>   On Mon, Sep 22, 2014 at 1:14 AM, Jim Manico <jim.manico at owasp.org>
> wrote:
>
>>  So per Mitre...
>>
>> You *exploited* a *vulnerability** in a specific system* using the *attack
>> pattern of SQL Injection*.
>>
>> Per Mitre, a vulnerability is only specific to a system (hence CVE) and
>> is not a general definition, per my understanding.
>>
>> I know this is pedantic, but so is all nomenclature within complex
>> systems. :)
>>
>> So just for the record, I've seen SQL Injection called a Risk, a
>> Vulnerability, a Attack Pattern and a Weakness in my Sunday readings. Our
>> industry is NOT good at this right now. I'm trying to achieve clarity.
>>
>> Aloha,
>> - Jim
>>
>>
>> On 9/21/14, 7:04 PM, Eoin Keary wrote:
>>
>> Jim I've taken down entire financial systems via "or 11".
>> An attack pattern to a vulnerable system. A string of chars to a non
>> vulnerable one.
>>
>>  I think we are drifting off the point here even though this is
>> interesting.....
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988 <%2B353%2087%20977%202988>
>>
>>
>> On 21 Sep 2014, at 18:57, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>   Attack patterns, per Mitre, are ABSTRACT descriptions not specific to
>> any product, service or application. Plus your example below is not
>> exploitable in most situations, so I would say no on multiple levels.
>>
>> Here is Mitre's description of SQL Injection as an attack pattern.
>> https://capec.mitre.org/data/definitions/66.html
>>
>> I am not saying that Mitre is correct, I am only (trying) to express
>> their perspective here.
>>
>> Aloha,
>> - Jim
>>
>>
>>
>>
>> On 9/21/14, 6:53 PM, Eoin Keary wrote:
>>
>> Jim,
>> Is setting a username to "O'Brien" an attack pattern?
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 21 Sep 2014, at 17:41, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>   > Attack patterns are only "attack" if there is a vuln? Otherwise they
>> are only character strings? Just sayin
>>
>> From what I am reading, Eoin, an attack pattern (per Mitre) is an
>> ABSTRACT mechanism to describe how one would attack a vulnerable
>> cyber-enabled system.
>>
>> A vulnerability would be a weakness in a specific product or service.
>>
>> This kind of makes sense to me. I've been reading a lot lately, and most
>> folks mix these terms in various ways, hence my confusion. I get the
>> impression that Mitre is doing this right, but I'm not 100% sure.
>>
>> Aloha,
>> Jim
>>
>>
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988 <%2B353%2087%20977%202988>
>>
>>
>> On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>   Very interesting, Timur and Eoin. I might be reading this wrong, but
>> it looks to me that SQL Injection per Mitre is an ....
>>
>> ... *attack pattern* http://capec.mitre.org/data/definitions/66.html
>> ... caused by the *weakness* of lack of neutralization of special
>> characters http://cwe.mitre.org/data/definitions/89.html *[1]*
>> ... that *effects many products and services and makes them vulnerable*
>> http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>>
>> So per Mitre, SQL Injection would NOT be a vulnerability, that is product
>> specific (CVE). SQL Injection per Mitre seems to be an attack pattern.
>>
>> Per Mitre: An "attack pattern" is an abstraction mechanism to assist in
>> understanding how an attack against vulnerable cyber-enabled capabilities
>> is executed.
>>
>> So I'm thinking that the "classic" OWASP Top Ten is really a mix of
>> attack patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, a6, a9).
>>
>> •A1 Injection
>> •A2 Broken Authentication and Session Management
>> •A3 Cross-Site Scripting (XSS)
>> •A4 Insecure Direct Object References
>> •A5 Security Misconfiguration
>> •A6 Sensitive Data Exposure
>> •A7 Missing Function Level Access Control
>> •A8 Cross-Site Request Forgery (CSRF)
>> •A9 Using Components with Known Vulnerabilities
>> •A10 Unvalidated Redirects and Forwards
>>
>> And just to make this more confusing, Mitre declares that SQL Injection
>> is a attack pattern as described above, but considers sql injection through
>> hibernate to be a weakness http://cwe.mitre.org/data/definitions/564.html
>> which confuses the issue for me....
>>
>> Aloha,
>> Jim
>>
>> [1] This is not so accurate (debatable) but that is besides the point. :)
>> Query Parametrization does not neutralize special characters, it
>> pre-compiles the query into a query plan that cannot be modified at query
>> execution time. :)
>>
>>
>>
>> On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>>
>>  (vulnerability types, meta weaknesses)
>>
>>  We may take the MITRE approach in order not to invent parallel
>> terminology.
>>
>>  https://cwe.mitre.org (weaknesses, vuln types, cca 700 elements)
>> https://cve.mitre.org  (vulnerabilities and exposures, thousands)
>> https://capec.mitre.org (attack patterns)
>>
>>
>>  The top 41 SANS "Most Dangerous Software Errors"
>> https://cwe.mitre.org/top25/index.html
>> + 16
>> https://cwe.mitre.org/top25/archive/2011/2011_onthecusp.html
>>
>>
>>   On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org>
>> wrote:
>>
>>> Risk != vuln
>>>
>>> Risk is defined as:
>>> "(Exposure to) the possibility of loss, injury, or other adverse or
>>> unwelcome circumstance; a chance or situation involving such a possibility."
>>>
>>> The result of a weakness being leveraged and unwelcome outcomes.
>>>
>>>
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988 <%2B353%2087%20977%202988>
>>>
>>>
>>> On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>> >> T10 lists does not accurately
>>> > reflect the most dangerous "risks" or that it would be better to name
>>> it
>>> > differently?
>>> >
>>> > The commentary that I received was that the term "risk" did not
>>> > actually reflect the items on the lists. Folks have told me it should
>>> > be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>> >
>>> > I'm not sure what the right answer is here...
>>> >
>>> > Aloha,
>>> > --
>>> > Jim Manico
>>> > @Manicode
>>> > (808) 652-3805
>>> >
>>> >> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>> >>
>>> >> T10 lists does not accurately
>>> >> reflect the most dangerous "risks" or that it would be better to name
>>> it
>>> >> differently?
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>> Email us to enforce secure link with your mail servers (domain).
>> This message may contain confidential information - you should handle it
>> accordingly.
>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>>
>>
>>
>>
>>
>>
>
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle it
> accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>
>
>   _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>

-- 
Email us to enforce secure link with your mail servers (domain).
This message may contain confidential information - you should handle it 
accordingly.
Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140922/0eba82c3/attachment-0001.html>


More information about the OWASP-Leaders mailing list