[Owasp-leaders] [Owasp-community] OT10 Risks?

Josh Sokol josh.sokol at owasp.org
Mon Sep 22 16:40:36 UTC 2014


If you want to get technical, XSS is a vulnerability.  Getting XSS'ed is
exploitation of that vulnerability.  An example of a risk would be the
compromise of customer data resulting from the exploitation of a XSS
vulnerability.

If anyone is interested in learning more about Risk (and SimpleRisk), I'm
teaching a 1-day class on it at LASCON this year.

~josh

On Sun, Sep 21, 2014 at 4:13 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

>
> Xss is not a risk :)  Getting XSS'ed is if you are vulnerable.
>
> It's a top 10 of most common vulns.
> But if you actually did a top 10 (of common vulns)  the top 5 would be SSL
> and security header related and make for slow reading. :)
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 21 Sep 2014, at 17:04, Eoin Keary <eoin.keary at owasp.org> wrote:
>
> > Risk != vuln
> >
> > Risk is defined as:
> > "(Exposure to) the possibility of loss, injury, or other adverse or
> unwelcome circumstance; a chance or situation involving such a possibility."
> >
> > The result of a weakness being leveraged and unwelcome outcomes.
> >
> >
> >
> > Eoin Keary
> > Owasp Global Board
> > +353 87 977 2988
> >
> >
> > On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
> >
> >>> T10 lists does not accurately
> >> reflect the most dangerous "risks" or that it would be better to name it
> >> differently?
> >>
> >> The commentary that I received was that the term "risk" did not
> >> actually reflect the items on the lists. Folks have told me it should
> >> be "vulnerabilities" or "attacks" or "weaknesses" and more.
> >>
> >> I'm not sure what the right answer is here...
> >>
> >> Aloha,
> >> --
> >> Jim Manico
> >> @Manicode
> >> (808) 652-3805
> >>
> >>> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
> >>>
> >>> T10 lists does not accurately
> >>> reflect the most dangerous "risks" or that it would be better to name
> it
> >>> differently?
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > _______________________________________________
> > Owasp-community mailing list
> > Owasp-community at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-community
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140922/04106104/attachment.html>


More information about the OWASP-Leaders mailing list