[Owasp-leaders] [Owasp-community] OT10 Risks?

Josh Sokol josh.sokol at owasp.org
Mon Sep 22 17:50:59 UTC 2014


I would agree with this Jim.  Inclusion of a control is only risk
mitigation if there is a risk that you are mitigating.

~josh

On Mon, Sep 22, 2014 at 12:25 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I am being pedantic, but you need to be when talking about nomenclature,
> Josh. We are supposed "experts" on AppSec and can't get it straight. This
> is a pretty big problem industry-wide in my opinions.
>
> Inclusion of a control is not in and of itself risk mitigation.
>
> Implementing a •control• that addresses a specific •exploitable weakness•
> in a live system (a vulnerability in a live system) is risk mitigation.
>
> For example, you may have lack of query parameterization but no database,
> so thats not a real weakness or vuln that needs to be addressed.
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Sep 22, 2014, at 1:16 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
> I know what he said.  I was expounding on it.  Lack of those is a
> weakness, sure.  Inclusion of those is risk mitigation.  That's all I'm
> suggesting there.
>
> ~josh
>
> On Mon, Sep 22, 2014 at 12:08 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> > And in Bill's example, parameterized queries, input validation, and
>> output encoding would be considered risk mitigation.
>>
>> Bill said LACK OF parameterized queries and others which is a
>> •weakness•, not risk mitigation.
>>
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> > On Sep 22, 2014, at 12:59 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> >
>> > And in Bill's example, parameterized queries, input validation, and
>> output encoding would be considered risk mitigation.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140922/aab81ced/attachment.html>


More information about the OWASP-Leaders mailing list