[Owasp-leaders] [Owasp-community] [Owasp-topten] OT10 Risks?

Jim Manico jim.manico at owasp.org
Tue Sep 30 06:15:53 UTC 2014


The OWASP Top Ten is certainly a successful flagship project, in my opinion.

I would only suggest that the OWASP Top Ten team adds a glossary of 
terms to the document next time around.

And for those of you who are interested Yiannis, Timur and I are going 
to form a little working group around this topic. If you are interested 
in joining, send me a note off-list and I'll add you.

Aloha,
Jim

On 9/29/14, 2:19 PM, mparsons at parsonsisconsulting.com wrote:
> +1
> Matt
>
> Sent from my iPhone please excuse typos...
> Matt Parsons, CISSP, MSM, CWASE
>
>
> On Sep 29, 2014, at 3:31 PM, Eoin Keary <eoin.keary at owasp.org 
> <mailto:eoin.keary at owasp.org>> wrote:
>
>> So Dave Wichers explanation was succinct and worked. What's wrong 
>> with looking at the Top 10 from that standpoint?
>> The top 10 also needs to be accessible for non security folks (the 
>> point of owasp awareness). Getting dragged into semantics and 
>> nomenclature is pointless if the only people who give a toss are 
>> owasp members. Does the top 10 work? Yes. Does the average developer 
>> give a toss about naming? No. Does the OWASP top 10 serve its 
>> purpose? Sure.
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 24 Sep 2014, at 08:30, Simone Onofri <simone.onofri at gmail.com 
>> <mailto:simone.onofri at gmail.com>> wrote:
>>
>>> Dear Jim,
>>>
>>> Literally speaking it is correct e.g. a SQL Injection is not a Risk 
>>> as by definition, but in the latests editions of TOP 10 are getting 
>>> into some analysis like Risk Analysis of most frequent "issues" on 
>>> Web Application Security (I am using issues as a generic term) and I 
>>> think with a little edits can became also "correct" by definition.
>>>
>>> Let me explain with two examples with the most generic defintion of 
>>> Risk that can be taken from M_o_R / ISO 31000 and ISO 27000:
>>>  - M_o_R [1]: "An uncertain event or set of events that, should it 
>>> occur, will have an effect on the achievement of objectives. A risk 
>>> is measured by a combination of the probability of a perceived 
>>> threat or opportunity occurring and the magnitude of its impact on 
>>> objectives. " We can remap on our context is something like "An 
>>> uncertain event that, should occur, will have an effect on the 
>>> achievement of IT Security objectives". An important concept in this 
>>> definition is that it is not bad. It depends. If the effect is 
>>> positive we can call it an opportunity (but it is not the case of 
>>> our TOP 10), if the effect is negative is it also called a threat in 
>>> M_o_R.
>>>  - ISO 27000 [2]: "effect of uncertainty on objective" in which 
>>> effect it is a deviation (positive or negative) and generating an 
>>> impact but we are not sure that the event which actualise the risk. 
>>> how it is possible to actualise a risk? if the asset (something that 
>>> has a value for the organization) or a control (a measure we can use 
>>> to modify the risk) has a vulnerability, which is a weakness that 
>>> can be exploited by threats (is the potential cause) during an 
>>> attack (the attempt to destroy, expose, alter, disable, steal or 
>>> gain unauthorized access to or make unauthorized use of an asset) by 
>>> someone or something.
>>>
>>> In particular in 27000 definition I see more concepts and analysis 
>>> on latest TOP 10 version. Taking an example of Injection [3], with a 
>>> specific example of a SQL Injection, as described:
>>>
>>> We have some assets (e.g. the application, the database, the data 
>>> into database) and if we have some weaknesses ( read "Security 
>>> Weaknesses" - e.g. no or poor input validation, poor written code 
>>> with inline sql queries and not prepared statements), someone or 
>>> something (read "Threat Agent"), causing a specific Impact (and I 
>>> love the separation of Technical and Business impact in TOP 10).
>>>
>>> And the section "How Do I Prevent 'Injection'?" sounds like "which 
>>> kind of Controls" I can use to protect.
>>>
>>> TOP 10 talks about the Analysis of most common Risks that can occur 
>>> with the most frequent weaknesses/vulnerabilities, talking in ISO 
>>> language.
>>>
>>> My two cents,
>>>
>>> Simone
>>>
>>> [1] 
>>> https://www.exin.com/assets/exin/frameworks/126/glossaries/english_glossary_of_terms_mor_201404.pdf
>>> [2] http://standards.iso.org/ittf/licence.html
>>> [3] https://www.owasp.org/index.php/Top_10_2013-A1-Injection
>>>
>>> On Sun, Sep 21, 2014 at 10:40 PM, Jim Manico <jim.manico at owasp.org 
>>> <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>     Aloha Community and Leaders,
>>>
>>>     During the many hallway conversations had at AppSec USA in Denver,
>>>     AppSec nomenclature came up on a number of occasions. I heard
>>>     several
>>>     folks claim that the "OWASP Top Ten .Risks." was mis-named and that
>>>     the list is not really risks.
>>>
>>>     Is this a fair perspective? What should it be?
>>>
>>>     I am uncertain of this myself and am asking to trigger a intelligent
>>>     conversation; I in no way wish to harm the many volunteers who have
>>>     made the various OT10 lists happen.
>>>
>>>     Thoughts?
>>>
>>>     Aloha,
>>>     --
>>>     Jim Manico
>>>     @Manicode
>>>     (808) 652-3805
>>>     _______________________________________________
>>>     Owasp-topten mailing list
>>>     Owasp-topten at lists.owasp.org <mailto:Owasp-topten at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>
>>>
>>> _______________________________________________
>>> Owasp-community mailing list
>>> Owasp-community at lists.owasp.org <mailto:Owasp-community at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org <mailto:Owasp-community at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140929/68afa1ab/attachment.html>


More information about the OWASP-Leaders mailing list