[Owasp-leaders] [Owasp-topten] OT10 Risks?

Jim Manico jim.manico at owasp.org
Wed Sep 24 19:27:45 UTC 2014


Jeff,

Fair analysis, I appreciate you jumping into this thread.

I consider "Parameter Tampering" to be more like an abstract technique not
an attack pattern. Parameter tampering with what payload with what attack
type against what weakness?

To your point, XSS is also fairly generic. Again, what kind of attack
payload? Defacement? Session theft? Redirection? Stored CSRF?

Mitre considers Cross Site Scripting to be a ••weakness••.
http://cwe.mitre.org/data/definitions/79.html

They consider the various variants of Cross Site Scripting to be ••attack
patterns••, such as:
http://capec.mitre.org/data/definitions/32.html as well as listing XSS
variants as weakness details.

After watching a lot of very smart people participate in this thread with
very different (yet reasonable) answers, I say we have a nomenclature
problem that needs to be solved.

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

On Sep 24, 2014, at 10:31 AM, Jeff Williams <jeff.williams at owasp.org> wrote:

Jim, in your message you asked "What should it be?"  And to me there is no
question that the T10 should identify a set of risks.  We need to start
from the perspective of what will be the most useful to folks trying to get
themselves secure.  And to me, they need a description of the risks to
their enterprise.

But what to call them? The risk of XSS being exploited is a good example.
The attack is some form of parameter manipulation or injection, the
weakness might be lack of input validation or proper encoding, the
associated control is the validation or encoding engine, the technical
impact is an authenticated user's browser takeover, and the business impact
is most likely reputation damage or compliance violation.  We need a name
for this risk.

The obvious choice is to call this XSS.

--Jeff


On Wed, Sep 24, 2014 at 6:37 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Simone,
>
> I am very grateful at how seriously you took my question and how deeply
> you answered it. This is super helpful. I'll get back to you off-list with
> commentary soon.
>
> Thanks again and well done,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Sep 24, 2014, at 3:31 AM, Simone Onofri <simone.onofri at gmail.com>
> wrote:
>
> Dear Jim,
>
> Literally speaking it is correct e.g. a SQL Injection is not a Risk as by
> definition, but in the latests editions of TOP 10 are getting into some
> analysis like Risk Analysis of most frequent "issues" on Web Application
> Security (I am using issues as a generic term) and I think with a little
> edits can became also "correct" by definition.
>
> Let me explain with two examples with the most generic defintion of Risk
> that can be taken from M_o_R / ISO 31000 and ISO 27000:
>  - M_o_R [1]: "An uncertain event or set of events that, should it occur,
> will have an effect on the achievement of objectives. A risk is measured by
> a combination of the probability of a perceived threat or opportunity
> occurring and the magnitude of its impact on objectives. " We can remap on
> our context is something like "An uncertain event that, should occur, will
> have an effect on the achievement of IT Security objectives". An important
> concept in this definition is that it is not bad. It depends. If the effect
> is positive we can call it an opportunity (but it is not the case of our
> TOP 10), if the effect is negative is it also called a threat in M_o_R.
>  - ISO 27000 [2]: "effect of uncertainty on objective" in which effect it
> is a deviation (positive or negative) and generating an impact but we are
> not sure that the event which actualise the risk. how it is possible to
> actualise a risk? if the asset (something that has a value for the
> organization) or a control (a measure we can use to modify the risk) has a
> vulnerability, which is a weakness that can be exploited by threats (is the
> potential cause) during an attack (the attempt to destroy, expose, alter,
> disable, steal or gain unauthorized access to or make unauthorized use of
> an asset) by someone or something.
>
> In particular in 27000 definition I see more concepts and analysis on
> latest TOP 10 version. Taking an example of Injection [3], with a specific
> example of a SQL Injection, as described:
>
> We have some assets (e.g. the application, the database, the data into
> database) and if we have some weaknesses ( read "Security Weaknesses" -
> e.g. no or poor input validation, poor written code with inline sql queries
> and not prepared statements), someone or something (read "Threat Agent"),
> causing a specific Impact (and I love the separation of Technical and
> Business impact in TOP 10).
>
> And the section "How Do I Prevent 'Injection'?" sounds like "which kind of
> Controls" I can use to protect.
>
> TOP 10 talks about the Analysis of most common Risks that can occur with
> the most frequent weaknesses/vulnerabilities, talking in ISO language.
>
> My two cents,
>
> Simone
>
> [1]
> https://www.exin.com/assets/exin/frameworks/126/glossaries/english_glossary_of_terms_mor_201404.pdf
> [2] http://standards.iso.org/ittf/licence.html
> [3] https://www.owasp.org/index.php/Top_10_2013-A1-Injection
>
> On Sun, Sep 21, 2014 at 10:40 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Aloha Community and Leaders,
>>
>> During the many hallway conversations had at AppSec USA in Denver,
>> AppSec nomenclature came up on a number of occasions. I heard several
>> folks claim that the "OWASP Top Ten •Risks•" was mis-named and that
>> the list is not really risks.
>>
>> Is this a fair perspective? What should it be?
>>
>> I am uncertain of this myself and am asking to trigger a intelligent
>> conversation; I in no way wish to harm the many volunteers who have
>> made the various OT10 lists happen.
>>
>> Thoughts?
>>
>> Aloha,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140924/ff612206/attachment.html>


More information about the OWASP-Leaders mailing list