[Owasp-leaders] [Owasp-community] OT10 Risks?

Jim Manico jim.manico at owasp.org
Mon Sep 22 17:12:16 UTC 2014


I'm just going with Mitre and the CVE, CWE and CAPEC definitions. A system
is surely debatable and I've seen CVE's on products, services and coding
libraries.

But the points I am trying to make still stand, SQL injection by itself is
an attack type, many smart groups use these terms loosy-goosy, and the
OWASP top ten risks seems misnamed by many.

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

On Sep 22, 2014, at 12:52 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

I'm not sure I interpret it the same way.  Depends really on your
definition of a "system" (arguing topicality here Jim).  How about "an
assemblage or combination of things or parts forming a complex or
unitary whole".
By that definition a system could be a web application, a database like
MySQL or Oracle, or an actual computer.  So, if a web application can be a
system, then, by definition, SQL Injection can be a vulnerability in that
system.  No?  And yes, it can also be an attack type.

~josh

On Mon, Sep 22, 2014 at 11:46 AM, Jim Manico <jim.manico at owasp.org> wrote:

> This is not true from Mitre's perspective. Per Mitre..:
>
> SQL injection is an attack type. Only a system can be vulnerable. So a
> vulnerability per Mitre (per my reading) is an actual weakness in a actual
> system, hence...
>
> CVE = actual issues in real systems and  (key letter V)
> CAPEC = abstract attack type definitions
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Sep 22, 2014, at 12:42 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
> If you want to get technical, XSS is a vulnerability.  Getting XSS'ed is
> exploitation of that vulnerability.  An example of a risk would be the
> compromise of customer data resulting from the exploitation of a XSS
> vulnerability.
>
> If anyone is interested in learning more about Risk (and SimpleRisk), I'm
> teaching a 1-day class on it at LASCON this year.
>
> ~josh
>
> On Sun, Sep 21, 2014 at 4:13 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>
>>
>> Xss is not a risk :)  Getting XSS'ed is if you are vulnerable.
>>
>> It's a top 10 of most common vulns.
>> But if you actually did a top 10 (of common vulns)  the top 5 would be
>> SSL and security header related and make for slow reading. :)
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 21 Sep 2014, at 17:04, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>> > Risk != vuln
>> >
>> > Risk is defined as:
>> > "(Exposure to) the possibility of loss, injury, or other adverse or
>> unwelcome circumstance; a chance or situation involving such a possibility."
>> >
>> > The result of a weakness being leveraged and unwelcome outcomes.
>> >
>> >
>> >
>> > Eoin Keary
>> > Owasp Global Board
>> > +353 87 977 2988
>> >
>> >
>> > On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>> >
>> >>> T10 lists does not accurately
>> >> reflect the most dangerous "risks" or that it would be better to name
>> it
>> >> differently?
>> >>
>> >> The commentary that I received was that the term "risk" did not
>> >> actually reflect the items on the lists. Folks have told me it should
>> >> be "vulnerabilities" or "attacks" or "weaknesses" and more.
>> >>
>> >> I'm not sure what the right answer is here...
>> >>
>> >> Aloha,
>> >> --
>> >> Jim Manico
>> >> @Manicode
>> >> (808) 652-3805
>> >>
>> >>> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>> >>>
>> >>> T10 lists does not accurately
>> >>> reflect the most dangerous "risks" or that it would be better to name
>> it
>> >>> differently?
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> > _______________________________________________
>> > Owasp-community mailing list
>> > Owasp-community at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140922/01f6e110/attachment.html>


More information about the OWASP-Leaders mailing list