[Owasp-leaders] [Owasp-community] OT10 Risks?

Josh Sokol josh.sokol at owasp.org
Mon Sep 22 16:47:33 UTC 2014


Some more info specific to the Top 10:

A1 - Injection - Injection is a vulnerability.  Data theft resulting from
injection is a risk.
A2 - Broken Auth & Session Mgmt - This is a vulnerability.  An attacker
being able to leverage this flaw to authenticate as another user is a risk.
A3 - XSS - This is a vulnerability.  Compromise of customer data resulting
from exploitation of an XSS vuln is a risk.
A4 - Insecure Direct Object Reference - You could make an argument that
this is a poorly phrased risk, but mostly a vulnerability.  Risk is that
someone can access a page that wasn't intended to be accessed.
etc, etc, etc.

~josh

On Mon, Sep 22, 2014 at 11:40 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> If you want to get technical, XSS is a vulnerability.  Getting XSS'ed is
> exploitation of that vulnerability.  An example of a risk would be the
> compromise of customer data resulting from the exploitation of a XSS
> vulnerability.
>
> If anyone is interested in learning more about Risk (and SimpleRisk), I'm
> teaching a 1-day class on it at LASCON this year.
>
> ~josh
>
> On Sun, Sep 21, 2014 at 4:13 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>
>>
>> Xss is not a risk :)  Getting XSS'ed is if you are vulnerable.
>>
>> It's a top 10 of most common vulns.
>> But if you actually did a top 10 (of common vulns)  the top 5 would be
>> SSL and security header related and make for slow reading. :)
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 21 Sep 2014, at 17:04, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>> > Risk != vuln
>> >
>> > Risk is defined as:
>> > "(Exposure to) the possibility of loss, injury, or other adverse or
>> unwelcome circumstance; a chance or situation involving such a possibility."
>> >
>> > The result of a weakness being leveraged and unwelcome outcomes.
>> >
>> >
>> >
>> > Eoin Keary
>> > Owasp Global Board
>> > +353 87 977 2988
>> >
>> >
>> > On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>> >
>> >>> T10 lists does not accurately
>> >> reflect the most dangerous "risks" or that it would be better to name
>> it
>> >> differently?
>> >>
>> >> The commentary that I received was that the term "risk" did not
>> >> actually reflect the items on the lists. Folks have told me it should
>> >> be "vulnerabilities" or "attacks" or "weaknesses" and more.
>> >>
>> >> I'm not sure what the right answer is here...
>> >>
>> >> Aloha,
>> >> --
>> >> Jim Manico
>> >> @Manicode
>> >> (808) 652-3805
>> >>
>> >>> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>> >>>
>> >>> T10 lists does not accurately
>> >>> reflect the most dangerous "risks" or that it would be better to name
>> it
>> >>> differently?
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> > _______________________________________________
>> > Owasp-community mailing list
>> > Owasp-community at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140922/6ef66ae0/attachment.html>


More information about the OWASP-Leaders mailing list