[Owasp-leaders] [Owasp-community] OT10 Risks?

Kevin W. Wall kevin.w.wall at gmail.com
Sat Sep 27 03:41:13 UTC 2014


Eoin,

I'll second that idea. I was just about to make the same suggestion to Dave.
-kevin

On Fri, Sep 26, 2014 at 8:58 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
> Good call Dave. Makes perfect sense now you say it, would it be an idea to
> include this explanation in the top 10 foreword ?
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 24 Sep 2014, at 02:26, "Dave Wichers" <dave.wichers at owasp.org> wrote:
>
> We thought about this pretty hard when switching from Vulns to Risks in the
> title of the Top 10. Here were our thoughts:
>
>
>
> ·         Switching to Risks we thought was important because organizations
> care about risks, not vulns. Just because a vuln is prevalent (like info
> leaks/error handling/system.out.printlns()/etc.) doesn’t mean it introduces
> a Top 10 level risk. So, organizing the Top 10 into the 10 largest risks
> helps to focus it on what’s most important.
>
>
>
> ·         OK – given the new risk focus, we had a history of using
> vulnerability names in the earlier releases which were about Vulns. So we
> had a choice to make. Change all the names so they sound like Risks, or
> retain the names that people are used to, to avoid introducing unfamiliar
> terms that are confusing.
>
>
>
> o   And we decided to go with the use familiar terms approach, even though
> we knew that some of those terms aren’t technically risks, they are vulns,
> or weaknesses, or whatever.
>
>
>
> So, we readily admit that the Top 10 category names aren’t all exactly
> risks, particularly the very technical ones like Injection, XSS and CSRF,
> but those 3 terms in particular are very well known and replacing their
> names with a risk based description of those issues we felt would do more
> harm than good.
>
>
>
> For example, what if we called XSS something like what CWE-79 does:
> “Improper Neutralization of Input During Web Page Generation”.   That would
> confuse the hell out of most people, so we stuck with the familiar terms
> instead.
>
>
>
> So, a fair and reasonable topic to discuss. But this is our rationale as to
> why we did it this way and I still think it’s the right thing for the Top
> 10.
>
>
>
> -Dave
>
>
>
> Dave Wichers
>
> OWASP Top 10 Project Lead
>
>
>
> From: owasp-community-bounces at lists.owasp.org
> [mailto:owasp-community-bounces at lists.owasp.org] On Behalf Of Neil Smithline
> Sent: Monday, September 22, 2014 1:35 PM
> To: Josh Sokol
> Cc: owasp-community at lists.owasp.org; owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-community] [Owasp-leaders] OT10 Risks?
>
>
>
> Some history...
>
>
>
> The 2004 and 2007 T10s are titled "The Ten Most Critical Web Application
> Security *Vulnerabilities*". The 2010 and 2013 are "The Ten Most Critical
> Web Application Security *Risks*" This name change was a major topic of
> discussion while developing the 2010 T10.
>
>
>
> My recollection, which admittedly is a bit fuzzy, is that the thought was
> that risks are what you train your staff to avoid. Improper defense against
> the risks leads to specific vulnerabilities and ultimately successful
> attacks. At the time of writing the 2010 T10, there was great debate about
> the meaning of vulnerabilities and risks. The problem wasn't that people
> didn't understand these terms. Quite the contrary, the problem was that
> nearly everyone had their own definitions of these terms.
>
>
>
> My suspicion is that the items in the 2013 T10 (I'm only interested in the
> newest T10) span terms such as risks, vulnerabilities, threats, attacks,
> etc... The definitions were unclear during the writing of the T10 and, based
> on this email thread, are still up for grabs. So we may never be able to
> categorize what is in the 2013 T10. During writing of the T10, we focused on
> our goal of making the T10 of utility to engineering organizations and
> didn't worry about having consensus about definitions.
>
>
>
> Going forward....
>
>
>
> I question whether we'll ever come up with consistent terms that we agree
> on. If we did come up with consistent terms, what would we do with them? Use
> them as a framework for future OWASP work? Other?
>
>
>
>
>
>
>
> Neil Smithline
> 408-634-5764
> http://www.neilsmithline.com
>
>
>
> On Mon, Sep 22, 2014 at 12:52 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
> I'm not sure I interpret it the same way.  Depends really on your definition
> of a "system" (arguing topicality here Jim).  How about "an assemblage or
> combination of things or parts forming a complex or unitary whole".  By that
> definition a system could be a web application, a database like MySQL or
> Oracle, or an actual computer.  So, if a web application can be a system,
> then, by definition, SQL Injection can be a vulnerability in that system.
> No?  And yes, it can also be an attack type.
>
> ~josh
>
>
>
> On Mon, Sep 22, 2014 at 11:46 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
> This is not true from Mitre's perspective. Per Mitre..:
>
>
>
> SQL injection is an attack type. Only a system can be vulnerable. So a
> vulnerability per Mitre (per my reading) is an actual weakness in a actual
> system, hence...
>
>
>
> CVE = actual issues in real systems and  (key letter V)
>
> CAPEC = abstract attack type definitions
>
> --
>
> Jim Manico
>
> @Manicode
>
> (808) 652-3805
>
>
> On Sep 22, 2014, at 12:42 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
> If you want to get technical, XSS is a vulnerability.  Getting XSS'ed is
> exploitation of that vulnerability.  An example of a risk would be the
> compromise of customer data resulting from the exploitation of a XSS
> vulnerability.
>
> If anyone is interested in learning more about Risk (and SimpleRisk), I'm
> teaching a 1-day class on it at LASCON this year.
>
>
>
> ~josh
>
>
>
> On Sun, Sep 21, 2014 at 4:13 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>
>
> Xss is not a risk :)  Getting XSS'ed is if you are vulnerable.
>
> It's a top 10 of most common vulns.
> But if you actually did a top 10 (of common vulns)  the top 5 would be SSL
> and security header related and make for slow reading. :)
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
> On 21 Sep 2014, at 17:04, Eoin Keary <eoin.keary at owasp.org> wrote:
>
>> Risk != vuln
>>
>> Risk is defined as:
>> "(Exposure to) the possibility of loss, injury, or other adverse or
>> unwelcome circumstance; a chance or situation involving such a possibility."
>>
>> The result of a weakness being leveraged and unwelcome outcomes.
>>
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>>> T10 lists does not accurately
>>> reflect the most dangerous "risks" or that it would be better to name it
>>> differently?
>>>
>>> The commentary that I received was that the term "risk" did not
>>> actually reflect the items on the lists. Folks have told me it should
>>> be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>>
>>> I'm not sure what the right answer is here...
>>>
>>> Aloha,
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>>> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>
>>>> T10 lists does not accurately
>>>> reflect the most dangerous "risks" or that it would be better to name it
>>>> differently?
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-community
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.


More information about the OWASP-Leaders mailing list