[Owasp-leaders] [Owasp-community] OT10 Risks?

Jim Manico jim.manico at owasp.org
Mon Sep 22 17:25:11 UTC 2014


I am being pedantic, but you need to be when talking about nomenclature,
Josh. We are supposed "experts" on AppSec and can't get it straight. This
is a pretty big problem industry-wide in my opinions.

Inclusion of a control is not in and of itself risk mitigation.

Implementing a •control• that addresses a specific •exploitable weakness•
in a live system (a vulnerability in a live system) is risk mitigation.

For example, you may have lack of query parameterization but no database,
so thats not a real weakness or vuln that needs to be addressed.
--
Jim Manico
@Manicode
(808) 652-3805

On Sep 22, 2014, at 1:16 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

I know what he said.  I was expounding on it.  Lack of those is a weakness,
sure.  Inclusion of those is risk mitigation.  That's all I'm suggesting
there.

~josh

On Mon, Sep 22, 2014 at 12:08 PM, Jim Manico <jim.manico at owasp.org> wrote:

> > And in Bill's example, parameterized queries, input validation, and
> output encoding would be considered risk mitigation.
>
> Bill said LACK OF parameterized queries and others which is a
> •weakness•, not risk mitigation.
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> > On Sep 22, 2014, at 12:59 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> >
> > And in Bill's example, parameterized queries, input validation, and
> output encoding would be considered risk mitigation.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140922/cb459353/attachment-0001.html>


More information about the OWASP-Leaders mailing list