[Owasp-leaders] [Owasp-community] OT10 Risks?

Neil Smithline neil.smithline at owasp.org
Thu Sep 25 01:43:28 UTC 2014


>> My only issue with the T10 is that it is too generic, and what I really
would like to give devs, is a version of that document for the technology
stack they are using.

Interesting idea Denis. I think it should be a separate thread but it is an
idea that may have legs. The technology-specific T10s could be written over
time and refer back to the most recent T10.

I think this is a very interesting idea.
On Sep 24, 2014 8:18 PM, "Dinis Cruz" <dinis.cruz at owasp.org> wrote:

> My view of the Owasp Top 10 is that it is an awareness document and a good
> place to start on Application security (coding, exploiting or mitigating)
>
> As this thread shows, there is a bigger problem in our industry which is
> the definition of terms (and that is before others take what we/owasp
> publishes and invent on top (like the ones that talk about Owasp top 10
> compliance or certifications))
>
> My only issue with the T10 is that it is too generic, and what I really
> would like to give devs, is a version of that document for the technology
> stack they are using.
>
> For example the 'Owasp Top 10 for Node, Express, Jade, CrouchDB and
> AngularJS' (the best case scenario would be a very small doc, since those
> frameworks would handle by default a number of T10 items, like how
> AngularJs and Jade can help a lot on XSS)
> On 22 Sep 2014 18:36, "Neil Smithline" <neil.smithline at owasp.org> wrote:
>
>> Some history...
>>
>> The 2004 and 2007 T10s are titled "The Ten Most Critical Web Application
>> Security **Vulnerabilities**". The 2010 and 2013 are "The Ten Most
>> Critical Web Application Security **Risks**" This name change was a
>> major topic of discussion while developing the 2010 T10.
>>
>> My recollection, which admittedly is a bit fuzzy, is that the thought was
>> that risks are what you train your staff to avoid. Improper defense against
>> the risks leads to specific vulnerabilities and ultimately successful
>> attacks. At the time of writing the 2010 T10, there was great debate about
>> the meaning of vulnerabilities and risks. The problem wasn't that people
>> didn't understand these terms. Quite the contrary, the problem was that
>> nearly everyone had their own definitions of these terms.
>>
>> My suspicion is that the items in the 2013 T10 (I'm only interested in
>> the newest T10) span terms such as risks, vulnerabilities, threats,
>> attacks, etc... The definitions were unclear during the writing of the T10
>> and, based on this email thread, are still up for grabs. So we may never be
>> able to categorize what is in the 2013 T10. During writing of the T10, we
>> focused on our goal of making the T10 of utility to engineering
>> organizations and didn't worry about having consensus about definitions.
>>
>> Going forward....
>>
>> I question whether we'll ever come up with consistent terms that we agree
>> on. If we did come up with consistent terms, what would we do with them?
>> Use them as a framework for future OWASP work? Other?
>>
>>
>>
>>
>> Neil Smithline
>> 408-634-5764
>> http://www.neilsmithline.com
>>
>> On Mon, Sep 22, 2014 at 12:52 PM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>>
>>> I'm not sure I interpret it the same way.  Depends really on your
>>> definition of a "system" (arguing topicality here Jim).  How about "an
>>> assemblage or combination of things or parts forming a complex or
>>> unitary whole".  By that definition a system could be a web
>>> application, a database like MySQL or Oracle, or an actual computer.  So,
>>> if a web application can be a system, then, by definition, SQL Injection
>>> can be a vulnerability in that system.  No?  And yes, it can also be an
>>> attack type.
>>>
>>> ~josh
>>>
>>> On Mon, Sep 22, 2014 at 11:46 AM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>> This is not true from Mitre's perspective. Per Mitre..:
>>>>
>>>> SQL injection is an attack type. Only a system can be vulnerable. So a
>>>> vulnerability per Mitre (per my reading) is an actual weakness in a actual
>>>> system, hence...
>>>>
>>>> CVE = actual issues in real systems and  (key letter V)
>>>> CAPEC = abstract attack type definitions
>>>>
>>>> --
>>>> Jim Manico
>>>> @Manicode
>>>> (808) 652-3805
>>>>
>>>> On Sep 22, 2014, at 12:42 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>
>>>> If you want to get technical, XSS is a vulnerability.  Getting XSS'ed
>>>> is exploitation of that vulnerability.  An example of a risk would be the
>>>> compromise of customer data resulting from the exploitation of a XSS
>>>> vulnerability.
>>>>
>>>> If anyone is interested in learning more about Risk (and SimpleRisk),
>>>> I'm teaching a 1-day class on it at LASCON this year.
>>>>
>>>> ~josh
>>>>
>>>> On Sun, Sep 21, 2014 at 4:13 PM, Eoin Keary <eoin.keary at owasp.org>
>>>> wrote:
>>>>
>>>>>
>>>>> Xss is not a risk :)  Getting XSS'ed is if you are vulnerable.
>>>>>
>>>>> It's a top 10 of most common vulns.
>>>>> But if you actually did a top 10 (of common vulns)  the top 5 would be
>>>>> SSL and security header related and make for slow reading. :)
>>>>>
>>>>>
>>>>> Eoin Keary
>>>>> Owasp Global Board
>>>>> +353 87 977 2988
>>>>>
>>>>>
>>>>> On 21 Sep 2014, at 17:04, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>>>
>>>>> > Risk != vuln
>>>>> >
>>>>> > Risk is defined as:
>>>>> > "(Exposure to) the possibility of loss, injury, or other adverse or
>>>>> unwelcome circumstance; a chance or situation involving such a possibility."
>>>>> >
>>>>> > The result of a weakness being leveraged and unwelcome outcomes.
>>>>> >
>>>>> >
>>>>> >
>>>>> > Eoin Keary
>>>>> > Owasp Global Board
>>>>> > +353 87 977 2988
>>>>> >
>>>>> >
>>>>> > On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>>>> >
>>>>> >>> T10 lists does not accurately
>>>>> >> reflect the most dangerous "risks" or that it would be better to
>>>>> name it
>>>>> >> differently?
>>>>> >>
>>>>> >> The commentary that I received was that the term "risk" did not
>>>>> >> actually reflect the items on the lists. Folks have told me it
>>>>> should
>>>>> >> be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>>>> >>
>>>>> >> I'm not sure what the right answer is here...
>>>>> >>
>>>>> >> Aloha,
>>>>> >> --
>>>>> >> Jim Manico
>>>>> >> @Manicode
>>>>> >> (808) 652-3805
>>>>> >>
>>>>> >>> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org>
>>>>> wrote:
>>>>> >>>
>>>>> >>> T10 lists does not accurately
>>>>> >>> reflect the most dangerous "risks" or that it would be better to
>>>>> name it
>>>>> >>> differently?
>>>>> >> _______________________________________________
>>>>> >> OWASP-Leaders mailing list
>>>>> >> OWASP-Leaders at lists.owasp.org
>>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> > _______________________________________________
>>>>> > Owasp-community mailing list
>>>>> > Owasp-community at lists.owasp.org
>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140924/9047c911/attachment-0001.html>


More information about the OWASP-Leaders mailing list