[Owasp-leaders] [Owasp-topten] OT10 Risks?

Josh Sokol josh.sokol at owasp.org
Wed Sep 24 14:51:52 UTC 2014

> We need a name for this risk.  The obvious choice is to call this XSS.

I'm not sure I agree that this choice is so obvious as the one thing that I
think everyone agreed on above is that "XSS" is clearly not a risk.  I
would say that the obvious choice is to rename it to the "Top 10 Web
Application Exploits" or re-phrase each entry as a risk.


On Wed, Sep 24, 2014 at 9:31 AM, Jeff Williams <jeff.williams at owasp.org>

> Jim, in your message you asked "What should it be?"  And to me there is no
> question that the T10 should identify a set of risks.  We need to start
> from the perspective of what will be the most useful to folks trying to get
> themselves secure.  And to me, they need a description of the risks to
> their enterprise.
> But what to call them? The risk of XSS being exploited is a good example.
> The attack is some form of parameter manipulation or injection, the
> weakness might be lack of input validation or proper encoding, the
> associated control is the validation or encoding engine, the technical
> impact is an authenticated user's browser takeover, and the business impact
> is most likely reputation damage or compliance violation.  We need a name
> for this risk.
> The obvious choice is to call this XSS.
> --Jeff
> On Wed, Sep 24, 2014 at 6:37 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> Simone,
>> I am very grateful at how seriously you took my question and how deeply
>> you answered it. This is super helpful. I'll get back to you off-list with
>> commentary soon.
>> Thanks again and well done,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> On Sep 24, 2014, at 3:31 AM, Simone Onofri <simone.onofri at gmail.com>
>> wrote:
>> Dear Jim,
>> Literally speaking it is correct e.g. a SQL Injection is not a Risk as by
>> definition, but in the latests editions of TOP 10 are getting into some
>> analysis like Risk Analysis of most frequent "issues" on Web Application
>> Security (I am using issues as a generic term) and I think with a little
>> edits can became also "correct" by definition.
>> Let me explain with two examples with the most generic defintion of Risk
>> that can be taken from M_o_R / ISO 31000 and ISO 27000:
>>  - M_o_R [1]: "An uncertain event or set of events that, should it occur,
>> will have an effect on the achievement of objectives. A risk is measured by
>> a combination of the probability of a perceived threat or opportunity
>> occurring and the magnitude of its impact on objectives. " We can remap on
>> our context is something like "An uncertain event that, should occur, will
>> have an effect on the achievement of IT Security objectives". An important
>> concept in this definition is that it is not bad. It depends. If the effect
>> is positive we can call it an opportunity (but it is not the case of our
>> TOP 10), if the effect is negative is it also called a threat in M_o_R.
>>  - ISO 27000 [2]: "effect of uncertainty on objective" in which effect it
>> is a deviation (positive or negative) and generating an impact but we are
>> not sure that the event which actualise the risk. how it is possible to
>> actualise a risk? if the asset (something that has a value for the
>> organization) or a control (a measure we can use to modify the risk) has a
>> vulnerability, which is a weakness that can be exploited by threats (is the
>> potential cause) during an attack (the attempt to destroy, expose, alter,
>> disable, steal or gain unauthorized access to or make unauthorized use of
>> an asset) by someone or something.
>> In particular in 27000 definition I see more concepts and analysis on
>> latest TOP 10 version. Taking an example of Injection [3], with a specific
>> example of a SQL Injection, as described:
>> We have some assets (e.g. the application, the database, the data into
>> database) and if we have some weaknesses ( read "Security Weaknesses" -
>> e.g. no or poor input validation, poor written code with inline sql queries
>> and not prepared statements), someone or something (read "Threat Agent"),
>> causing a specific Impact (and I love the separation of Technical and
>> Business impact in TOP 10).
>> And the section "How Do I Prevent 'Injection'?" sounds like "which kind
>> of Controls" I can use to protect.
>> TOP 10 talks about the Analysis of most common Risks that can occur with
>> the most frequent weaknesses/vulnerabilities, talking in ISO language.
>> My two cents,
>> Simone
>> [1]
>> https://www.exin.com/assets/exin/frameworks/126/glossaries/english_glossary_of_terms_mor_201404.pdf
>> [2] http://standards.iso.org/ittf/licence.html
>> [3] https://www.owasp.org/index.php/Top_10_2013-A1-Injection
>> On Sun, Sep 21, 2014 at 10:40 PM, Jim Manico <jim.manico at owasp.org>
>> wrote:
>>> Aloha Community and Leaders,
>>> During the many hallway conversations had at AppSec USA in Denver,
>>> AppSec nomenclature came up on a number of occasions. I heard several
>>> folks claim that the "OWASP Top Ten •Risks•" was mis-named and that
>>> the list is not really risks.
>>> Is this a fair perspective? What should it be?
>>> I am uncertain of this myself and am asking to trigger a intelligent
>>> conversation; I in no way wish to harm the many volunteers who have
>>> made the various OT10 lists happen.
>>> Thoughts?
>>> Aloha,
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>> _______________________________________________
>>> Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140924/2925e6c1/attachment-0001.html>

More information about the OWASP-Leaders mailing list