[Owasp-leaders] [Owasp-community] OT10 Risks?

Dave Wichers dave.wichers at owasp.org
Sat Sep 27 16:46:32 UTC 2014


Top 10 risks, not Top 10 most common vulns. 

 

And the risk calculation model is well documented in the Top 10 itself. A
body of data is used to calculate one of the four risk factors (prevalence /
commonality). The other 3 factors are calculated based on professional
experience of the Top 10 project team members because we couldn't find any
publically available data sets to help with those factors. We
considered/tried to get data around which vulns where actually the most
exploited for the 2013 release, but we couldn't come up any such data sets.
This will definitely be a topic of discussion and potentially an area of
word for the 2016 update.

 

-Dave

 

From: systmkor [mailto:systmkor at gmail.com] 
Sent: Friday, September 26, 2014 10:24 PM
To: Eoin Keary
Cc: Dave Wichers; <owasp-community at lists.owasp.org>;
<owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-community] [Owasp-leaders] OT10 Risks?

 

I may have missed it but I haven't seen how the Top 10 is calculated. What
risk framework and body of data would be used to generate the top 10 risks?
Lastly is the goal to have the Top 10 most common risks or the top 10
riskiest problems?

 

Great discussion thus far.

 

Orion

 

On Sep 26, 2014, at 17:58, Eoin Keary <eoin.keary at owasp.org> wrote:





Good call Dave. Makes perfect sense now you say it, would it be an idea to
include this explanation in the top 10 foreword ?

Eoin Keary

Owasp Global Board

+353 87 977 2988

 


On 24 Sep 2014, at 02:26, "Dave Wichers" < <mailto:dave.wichers at owasp.org>
dave.wichers at owasp.org> wrote:

We thought about this pretty hard when switching from Vulns to Risks in the
title of the Top 10. Here were our thoughts:

 

.         Switching to Risks we thought was important because organizations
care about risks, not vulns. Just because a vuln is prevalent (like info
leaks/error handling/system.out.printlns()/etc.) doesn't mean it introduces
a Top 10 level risk. So, organizing the Top 10 into the 10 largest risks
helps to focus it on what's most important.

 

.         OK - given the new risk focus, we had a history of using
vulnerability names in the earlier releases which were about Vulns. So we
had a choice to make. Change all the names so they sound like Risks, or
retain the names that people are used to, to avoid introducing unfamiliar
terms that are confusing.

 

o   And we decided to go with the use familiar terms approach, even though
we knew that some of those terms aren't technically risks, they are vulns,
or weaknesses, or whatever.

 

So, we readily admit that the Top 10 category names aren't all exactly
risks, particularly the very technical ones like Injection, XSS and CSRF,
but those 3 terms in particular are very well known and replacing their
names with a risk based description of those issues we felt would do more
harm than good.

 

For example, what if we called XSS something like what CWE-79 does:
"Improper Neutralization of Input During Web Page Generation".   That would
confuse the hell out of most people, so we stuck with the familiar terms
instead.

 

So, a fair and reasonable topic to discuss. But this is our rationale as to
why we did it this way and I still think it's the right thing for the Top
10.

 

-Dave

 

Dave Wichers

OWASP Top 10 Project Lead

 

From:  <mailto:owasp-community-bounces at lists.owasp.org>
owasp-community-bounces at lists.owasp.org [
<mailto:owasp-community-bounces at lists.owasp.org>
mailto:owasp-community-bounces at lists.owasp.org] On Behalf Of Neil Smithline
Sent: Monday, September 22, 2014 1:35 PM
To: Josh Sokol
Cc:  <mailto:owasp-community at lists.owasp.org>
owasp-community at lists.owasp.org;  <mailto:owasp-leaders at lists.owasp.org>
owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-community] [Owasp-leaders] OT10 Risks?

 

Some history...

 

The 2004 and 2007 T10s are titled "The Ten Most Critical Web Application
Security*Vulnerabilities*". The 2010 and 2013 are "The Ten Most Critical Web
Application Security*Risks*" This name change was a major topic of
discussion while developing the 2010 T10. 

 

My recollection, which admittedly is a bit fuzzy, is that the thought was
that risks are what you train your staff to avoid. Improper defense against
the risks leads to specific vulnerabilities and ultimately successful
attacks. At the time of writing the 2010 T10, there was great debate about
the meaning of vulnerabilities and risks. The problem wasn't that people
didn't understand these terms. Quite the contrary, the problem was that
nearly everyone had their own definitions of these terms. 

 

My suspicion is that the items in the 2013 T10 (I'm only interested in the
newest T10) span terms such as risks, vulnerabilities, threats, attacks,
etc... The definitions were unclear during the writing of the T10 and, based
on this email thread, are still up for grabs. So we may never be able to
categorize what is in the 2013 T10. During writing of the T10, we focused on
our goal of making the T10 of utility to engineering organizations and
didn't worry about having consensus about definitions.

 

Going forward....

 

I question whether we'll ever come up with consistent terms that we agree
on. If we did come up with consistent terms, what would we do with them? Use
them as a framework for future OWASP work? Other?

 

 





Neil Smithline
408-634-5764
 <http://www.neilsmithline.com/> http://www.neilsmithline.com

 

On Mon, Sep 22, 2014 at 12:52 PM, Josh Sokol < <mailto:josh.sokol at owasp.org>
josh.sokol at owasp.org> wrote:

I'm not sure I interpret it the same way.  Depends really on your definition
of a "system" (arguing topicality here Jim).  How about "an assemblage or
combination of things or parts forming a complex or unitary whole".  By that
definition a system could be a web application, a database like MySQL or
Oracle, or an actual computer.  So, if a web application can be a system,
then, by definition, SQL Injection can be a vulnerability in that system.
No?  And yes, it can also be an attack type.

~josh

 

On Mon, Sep 22, 2014 at 11:46 AM, Jim Manico < <mailto:jim.manico at owasp.org>
jim.manico at owasp.org> wrote:

This is not true from Mitre's perspective. Per Mitre..:

 

SQL injection is an attack type. Only a system can be vulnerable. So a
vulnerability per Mitre (per my reading) is an actual weakness in a actual
system, hence...

 

CVE = actual issues in real systems and  (key letter V)

CAPEC = abstract attack type definitions

--

Jim Manico

@Manicode

 <tel:%28808%29%20652-3805> (808) 652-3805


On Sep 22, 2014, at 12:42 PM, Josh Sokol < <mailto:josh.sokol at owasp.org>
josh.sokol at owasp.org> wrote:

If you want to get technical, XSS is a vulnerability.  Getting XSS'ed is
exploitation of that vulnerability.  An example of a risk would be the
compromise of customer data resulting from the exploitation of a XSS
vulnerability.

If anyone is interested in learning more about Risk (and SimpleRisk), I'm
teaching a 1-day class on it at LASCON this year.

 

~josh

 

On Sun, Sep 21, 2014 at 4:13 PM, Eoin Keary < <mailto:eoin.keary at owasp.org>
eoin.keary at owasp.org> wrote:


Xss is not a risk :)  Getting XSS'ed is if you are vulnerable.

It's a top 10 of most common vulns.
But if you actually did a top 10 (of common vulns)  the top 5 would be SSL
and security header related and make for slow reading. :)


Eoin Keary
Owasp Global Board
 <tel:%2B353%2087%20977%202988> +353 87 977 2988




On 21 Sep 2014, at 17:04, Eoin Keary < <mailto:eoin.keary at owasp.org>
eoin.keary at owasp.org> wrote:

> Risk != vuln
>
> Risk is defined as:
> "(Exposure to) the possibility of loss, injury, or other adverse or
unwelcome circumstance; a chance or situation involving such a possibility."
>
> The result of a weakness being leveraged and unwelcome outcomes.
>
>
>
> Eoin Keary
> Owasp Global Board
>  <tel:%2B353%2087%20977%202988> +353 87 977 2988
>
>
> On 21 Sep 2014, at 16:53, Jim Manico < <mailto:jim.manico at owasp.org>
jim.manico at owasp.org> wrote:
>
>>> T10 lists does not accurately
>> reflect the most dangerous "risks" or that it would be better to name it
>> differently?
>>
>> The commentary that I received was that the term "risk" did not
>> actually reflect the items on the lists. Folks have told me it should
>> be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>
>> I'm not sure what the right answer is here...
>>
>> Aloha,
>> --
>> Jim Manico
>> @Manicode
>>  <tel:%28808%29%20652-3805> (808) 652-3805
>>
>>> On Sep 21, 2014, at 4:50 PM, Tobias < <mailto:tobias.gondrom at owasp.org>
tobias.gondrom at owasp.org> wrote:
>>>
>>> T10 lists does not accurately
>>> reflect the most dangerous "risks" or that it would be better to name it
>>> differently?
>> _______________________________________________
>> OWASP-Leaders mailing list
>>  <mailto:OWASP-Leaders at lists.owasp.org> OWASP-Leaders at lists.owasp.org
>>  <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> Owasp-community mailing list
>  <mailto:Owasp-community at lists.owasp.org> Owasp-community at lists.owasp.org
>  <https://lists.owasp.org/mailman/listinfo/owasp-community>
https://lists.owasp.org/mailman/listinfo/owasp-community
_______________________________________________
OWASP-Leaders mailing list
 <mailto:OWASP-Leaders at lists.owasp.org> OWASP-Leaders at lists.owasp.org
 <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 

_______________________________________________
OWASP-Leaders mailing list
 <mailto:OWASP-Leaders at lists.owasp.org> OWASP-Leaders at lists.owasp.org
 <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 


_______________________________________________
OWASP-Leaders mailing list
 <mailto:OWASP-Leaders at lists.owasp.org> OWASP-Leaders at lists.owasp.org
 <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 

_______________________________________________
Owasp-community mailing list
 <mailto:Owasp-community at lists.owasp.org> Owasp-community at lists.owasp.org
 <https://lists.owasp.org/mailman/listinfo/owasp-community>
https://lists.owasp.org/mailman/listinfo/owasp-community

_______________________________________________
Owasp-community mailing list
 <mailto:Owasp-community at lists.owasp.org> Owasp-community at lists.owasp.org
 <https://lists.owasp.org/mailman/listinfo/owasp-community>
https://lists.owasp.org/mailman/listinfo/owasp-community

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140927/620f09ee/attachment-0001.html>


More information about the OWASP-Leaders mailing list