[Owasp-leaders] [Owasp-community] OT10 Risks?

Bill Sempf bill.sempf at owasp.org
Mon Sep 22 16:52:13 UTC 2014


I disagree.

Injection is an attack. Lack of parameterized queries is a vulnerability.
XSS is also an attack. Poor input validation, poor output encoding are
vulnerabilities.

Et cetera.

S

On Mon, Sep 22, 2014 at 12:47 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Some more info specific to the Top 10:
>
> A1 - Injection - Injection is a vulnerability.  Data theft resulting from
> injection is a risk.
> A2 - Broken Auth & Session Mgmt - This is a vulnerability.  An attacker
> being able to leverage this flaw to authenticate as another user is a risk.
> A3 - XSS - This is a vulnerability.  Compromise of customer data resulting
> from exploitation of an XSS vuln is a risk.
> A4 - Insecure Direct Object Reference - You could make an argument that
> this is a poorly phrased risk, but mostly a vulnerability.  Risk is that
> someone can access a page that wasn't intended to be accessed.
> etc, etc, etc.
>
> ~josh
>
> On Mon, Sep 22, 2014 at 11:40 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> If you want to get technical, XSS is a vulnerability.  Getting XSS'ed is
>> exploitation of that vulnerability.  An example of a risk would be the
>> compromise of customer data resulting from the exploitation of a XSS
>> vulnerability.
>>
>> If anyone is interested in learning more about Risk (and SimpleRisk), I'm
>> teaching a 1-day class on it at LASCON this year.
>>
>> ~josh
>>
>> On Sun, Sep 21, 2014 at 4:13 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>>>
>>> Xss is not a risk :)  Getting XSS'ed is if you are vulnerable.
>>>
>>> It's a top 10 of most common vulns.
>>> But if you actually did a top 10 (of common vulns)  the top 5 would be
>>> SSL and security header related and make for slow reading. :)
>>>
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>
>>> On 21 Sep 2014, at 17:04, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>
>>> > Risk != vuln
>>> >
>>> > Risk is defined as:
>>> > "(Exposure to) the possibility of loss, injury, or other adverse or
>>> unwelcome circumstance; a chance or situation involving such a possibility."
>>> >
>>> > The result of a weakness being leveraged and unwelcome outcomes.
>>> >
>>> >
>>> >
>>> > Eoin Keary
>>> > Owasp Global Board
>>> > +353 87 977 2988
>>> >
>>> >
>>> > On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>> >
>>> >>> T10 lists does not accurately
>>> >> reflect the most dangerous "risks" or that it would be better to name
>>> it
>>> >> differently?
>>> >>
>>> >> The commentary that I received was that the term "risk" did not
>>> >> actually reflect the items on the lists. Folks have told me it should
>>> >> be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>> >>
>>> >> I'm not sure what the right answer is here...
>>> >>
>>> >> Aloha,
>>> >> --
>>> >> Jim Manico
>>> >> @Manicode
>>> >> (808) 652-3805
>>> >>
>>> >>> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org>
>>> wrote:
>>> >>>
>>> >>> T10 lists does not accurately
>>> >>> reflect the most dangerous "risks" or that it would be better to
>>> name it
>>> >>> differently?
>>> >> _______________________________________________
>>> >> OWASP-Leaders mailing list
>>> >> OWASP-Leaders at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> > _______________________________________________
>>> > Owasp-community mailing list
>>> > Owasp-community at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140922/a5eac37d/attachment-0001.html>


More information about the OWASP-Leaders mailing list