[Owasp-leaders] [Owasp-community] OT10 Risks?

Michael Coates michael.coates at owasp.org
Mon Sep 22 18:02:00 UTC 2014


Seems we're trying to reinvent the wheel here. We should reference
established taxonomies with clear definitions. Then compare the definitions
with the Top 10 approach and resolve discrepancies, if any.

Do we agree or disagree with what we have on OWASP already?

https://www.owasp.org/index.php/Category:Vulnerability

Other sources:
https://cve.mitre.org/about/terminology.html
http://en.wikipedia.org/wiki/Vulnerability_(computing)

(repeat for all terms - vulnerability, attack, risk, etc)




--
Michael Coates
Chairman, OWASP Board
@_mwc


On Mon, Sep 22, 2014 at 10:50 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> I would agree with this Jim.  Inclusion of a control is only risk
> mitigation if there is a risk that you are mitigating.
>
> ~josh
>
> On Mon, Sep 22, 2014 at 12:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> I am being pedantic, but you need to be when talking about nomenclature,
>> Josh. We are supposed "experts" on AppSec and can't get it straight. This
>> is a pretty big problem industry-wide in my opinions.
>>
>> Inclusion of a control is not in and of itself risk mitigation.
>>
>> Implementing a •control• that addresses a specific •exploitable weakness•
>> in a live system (a vulnerability in a live system) is risk mitigation.
>>
>> For example, you may have lack of query parameterization but no database,
>> so thats not a real weakness or vuln that needs to be addressed.
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Sep 22, 2014, at 1:16 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>> I know what he said.  I was expounding on it.  Lack of those is a
>> weakness, sure.  Inclusion of those is risk mitigation.  That's all I'm
>> suggesting there.
>>
>> ~josh
>>
>> On Mon, Sep 22, 2014 at 12:08 PM, Jim Manico <jim.manico at owasp.org>
>> wrote:
>>
>>> > And in Bill's example, parameterized queries, input validation, and
>>> output encoding would be considered risk mitigation.
>>>
>>> Bill said LACK OF parameterized queries and others which is a
>>> •weakness•, not risk mitigation.
>>>
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>> > On Sep 22, 2014, at 12:59 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> >
>>> > And in Bill's example, parameterized queries, input validation, and
>>> output encoding would be considered risk mitigation.
>>>
>>
>>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140922/0da1b044/attachment-0001.html>


More information about the OWASP-Leaders mailing list