[Owasp-leaders] [Owasp-community] OT10 Risks?

Mario Robles mario.robles at owasp.org
Tue Sep 23 22:18:22 UTC 2014


Something I've been wondering is:
According to the OWASP Top 10

Risk = injection
Vulns = OS command .., SQL .., xPath .., LDAP .. , etc

So

Risk = XSS ??? != lack of input validation or output encoding

Vulns = XSS, iFrame injection, Parameter Tampering, etc

I understand that XSS is wide spread but if the OT10 is about risks then I
think it should be consistent IMHO

Jim, I'm confused on something, I thought mitigation is like reducing the
risk without completely removing it and remediating is fixing it, well
actually that's the way I use the terms, so would be interesting for me to
read comments about it

Example:
Vulnerability = SQL Injection
Mitigation = implementing a WAF
Remediation = parameterized queries

Regards ,

$('Mario')
# Please excuse any typos as this was sent from a mobile device

El 22/09/2014, a las 11:36 a.m., Neil Smithline <neil.smithline at owasp.org>
escribió:

Some history...

The 2004 and 2007 T10s are titled "The Ten Most Critical Web Application
Security **Vulnerabilities**". The 2010 and 2013 are "The Ten Most Critical
Web Application Security **Risks**" This name change was a major topic of
discussion while developing the 2010 T10.

My recollection, which admittedly is a bit fuzzy, is that the thought was
that risks are what you train your staff to avoid. Improper defense against
the risks leads to specific vulnerabilities and ultimately successful
attacks. At the time of writing the 2010 T10, there was great debate about
the meaning of vulnerabilities and risks. The problem wasn't that people
didn't understand these terms. Quite the contrary, the problem was that
nearly everyone had their own definitions of these terms.

My suspicion is that the items in the 2013 T10 (I'm only interested in the
newest T10) span terms such as risks, vulnerabilities, threats, attacks,
etc... The definitions were unclear during the writing of the T10 and,
based on this email thread, are still up for grabs. So we may never be able
to categorize what is in the 2013 T10. During writing of the T10, we
focused on our goal of making the T10 of utility to engineering
organizations and didn't worry about having consensus about definitions.

Going forward....

I question whether we'll ever come up with consistent terms that we agree
on. If we did come up with consistent terms, what would we do with them?
Use them as a framework for future OWASP work? Other?




Neil Smithline
408-634-5764
http://www.neilsmithline.com

On Mon, Sep 22, 2014 at 12:52 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> I'm not sure I interpret it the same way.  Depends really on your
> definition of a "system" (arguing topicality here Jim).  How about "an
> assemblage or combination of things or parts forming a complex or unitary whole".
> By that definition a system could be a web application, a database like
> MySQL or Oracle, or an actual computer.  So, if a web application can be a
> system, then, by definition, SQL Injection can be a vulnerability in that
> system.  No?  And yes, it can also be an attack type.
>
> ~josh
>
> On Mon, Sep 22, 2014 at 11:46 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> This is not true from Mitre's perspective. Per Mitre..:
>>
>> SQL injection is an attack type. Only a system can be vulnerable. So a
>> vulnerability per Mitre (per my reading) is an actual weakness in a actual
>> system, hence...
>>
>> CVE = actual issues in real systems and  (key letter V)
>> CAPEC = abstract attack type definitions
>>
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Sep 22, 2014, at 12:42 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>> If you want to get technical, XSS is a vulnerability.  Getting XSS'ed is
>> exploitation of that vulnerability.  An example of a risk would be the
>> compromise of customer data resulting from the exploitation of a XSS
>> vulnerability.
>>
>> If anyone is interested in learning more about Risk (and SimpleRisk), I'm
>> teaching a 1-day class on it at LASCON this year.
>>
>> ~josh
>>
>> On Sun, Sep 21, 2014 at 4:13 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>>>
>>> Xss is not a risk :)  Getting XSS'ed is if you are vulnerable.
>>>
>>> It's a top 10 of most common vulns.
>>> But if you actually did a top 10 (of common vulns)  the top 5 would be
>>> SSL and security header related and make for slow reading. :)
>>>
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>
>>> On 21 Sep 2014, at 17:04, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>
>>> > Risk != vuln
>>> >
>>> > Risk is defined as:
>>> > "(Exposure to) the possibility of loss, injury, or other adverse or
>>> unwelcome circumstance; a chance or situation involving such a possibility."
>>> >
>>> > The result of a weakness being leveraged and unwelcome outcomes.
>>> >
>>> >
>>> >
>>> > Eoin Keary
>>> > Owasp Global Board
>>> > +353 87 977 2988
>>> >
>>> >
>>> > On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>> >
>>> >>> T10 lists does not accurately
>>> >> reflect the most dangerous "risks" or that it would be better to name
>>> it
>>> >> differently?
>>> >>
>>> >> The commentary that I received was that the term "risk" did not
>>> >> actually reflect the items on the lists. Folks have told me it should
>>> >> be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>> >>
>>> >> I'm not sure what the right answer is here...
>>> >>
>>> >> Aloha,
>>> >> --
>>> >> Jim Manico
>>> >> @Manicode
>>> >> (808) 652-3805
>>> >>
>>> >>> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org>
>>> wrote:
>>> >>>
>>> >>> T10 lists does not accurately
>>> >>> reflect the most dangerous "risks" or that it would be better to
>>> name it
>>> >>> differently?
>>> >> _______________________________________________
>>> >> OWASP-Leaders mailing list
>>> >> OWASP-Leaders at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> > _______________________________________________
>>> > Owasp-community mailing list
>>> > Owasp-community at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
_______________________________________________
Owasp-community mailing list
Owasp-community at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140923/aa44f954/attachment.html>


More information about the OWASP-Leaders mailing list