[Owasp-leaders] [Owasp-community] OT10 Risks?

Shruti Kulkarni shruti.kulkarni at owasp.org
Tue Sep 30 08:33:50 UTC 2014


Hi All,

Not sure whether this point has been discussed earlier.

I am a practitioner and a consultant for information security. I have been
involved in VA for web apps. After a VA report is generated, one of the
first questions that gets asked is -- are OWASP top 10 fixed?

When I go for interviews, i get asked as to whether I am aware of OWASP top
10.

The reason for mentioning these points were to bring forward the fact that
irrespective of the terminology, the usage of OWASP top 10 is reverential.

Having certifications like CISA, CRISC, CISSP, i understand the difference
between risk manifestation, vulnerability, threat, threat agent etc but to
a large set of people, a web app is "marketable" / "relatively secure" /
"usable" etc if OWASP top 10 have been addressed.

Whilst terminology can be changed / aligned to more prevelant wordings /
meanings, to most practitioners, OWASP top 10 will be just that. OWASP top
10. And they need to address these to secure their web apps.

Apologies, if this does not strike the chord.

Shruti Kulkarni

On Tuesday, 30 September 2014, Eoin Keary <eoin.keary at owasp.org> wrote:

> Indeed as mentioned a foreword to help describe the approach used.
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 30 Sep 2014, at 07:15, Jim Manico <jim.manico at owasp.org
> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>
> The OWASP Top Ten is certainly a successful flagship project, in my
> opinion.
>
> I would only suggest that the OWASP Top Ten team adds a glossary of terms
> to the document next time around.
>
> And for those of you who are interested Yiannis, Timur and I are going to
> form a little working group around this topic. If you are interested in
> joining, send me a note off-list and I'll add you.
>
> Aloha,
> Jim
>
> On 9/29/14, 2:19 PM, mparsons at parsonsisconsulting.com
> <javascript:_e(%7B%7D,'cvml','mparsons at parsonsisconsulting.com');> wrote:
>
> +1
> Matt
>
> Sent from my iPhone please excuse typos...
> Matt Parsons, CISSP, MSM, CWASE
>
>
> On Sep 29, 2014, at 3:31 PM, Eoin Keary <eoin.keary at owasp.org
> <javascript:_e(%7B%7D,'cvml','eoin.keary at owasp.org');>> wrote:
>
>   So Dave Wichers explanation was succinct and worked. What's wrong with
> looking at the Top 10 from that standpoint?
> The top 10 also needs to be accessible for non security folks (the point
> of owasp awareness). Getting dragged into semantics and nomenclature is
> pointless if the only people who give a toss are owasp members. Does the
> top 10 work? Yes. Does the average developer give a toss about naming? No.
> Does the OWASP top 10 serve its purpose? Sure.
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 24 Sep 2014, at 08:30, Simone Onofri <simone.onofri at gmail.com
> <javascript:_e(%7B%7D,'cvml','simone.onofri at gmail.com');>> wrote:
>
>   Dear Jim,
>
>  Literally speaking it is correct e.g. a SQL Injection is not a Risk as
> by definition, but in the latests editions of TOP 10 are getting into some
> analysis like Risk Analysis of most frequent "issues" on Web Application
> Security (I am using issues as a generic term) and I think with a little
> edits can became also "correct" by definition.
>
>  Let me explain with two examples with the most generic defintion of Risk
> that can be taken from M_o_R / ISO 31000 and ISO 27000:
>  - M_o_R [1]: "An uncertain event or set of events that, should it occur,
> will have an effect on the achievement of objectives. A risk is measured by
> a combination of the probability of a perceived threat or opportunity
> occurring and the magnitude of its impact on objectives. " We can remap on
> our context is something like "An uncertain event that, should occur, will
> have an effect on the achievement of IT Security objectives". An important
> concept in this definition is that it is not bad. It depends. If the effect
> is positive we can call it an opportunity (but it is not the case of our
> TOP 10), if the effect is negative is it also called a threat in M_o_R.
>  - ISO 27000 [2]: "effect of uncertainty on objective" in which effect it
> is a deviation (positive or negative) and generating an impact but we are
> not sure that the event which actualise the risk. how it is possible to
> actualise a risk? if the asset (something that has a value for the
> organization) or a control (a measure we can use to modify the risk) has a
> vulnerability, which is a weakness that can be exploited by threats (is the
> potential cause) during an attack (the attempt to destroy, expose, alter,
> disable, steal or gain unauthorized access to or make unauthorized use of
> an asset) by someone or something.
>
>  In particular in 27000 definition I see more concepts and analysis on
> latest TOP 10 version. Taking an example of Injection [3], with a specific
> example of a SQL Injection, as described:
>
>  We have some assets (e.g. the application, the database, the data into
> database) and if we have some weaknesses ( read "Security Weaknesses" -
> e.g. no or poor input validation, poor written code with inline sql queries
> and not prepared statements), someone or something (read "Threat Agent"),
> causing a specific Impact (and I love the separation of Technical and
> Business impact in TOP 10).
>
>  And the section "How Do I Prevent 'Injection'?" sounds like "which kind
> of Controls" I can use to protect.
>
>  TOP 10 talks about the Analysis of most common Risks that can occur with
> the most frequent weaknesses/vulnerabilities, talking in ISO language.
>
>  My two cents,
>
>  Simone
>
>  [1]
> https://www.exin.com/assets/exin/frameworks/126/glossaries/english_glossary_of_terms_mor_201404.pdf
>  [2] http://standards.iso.org/ittf/licence.html
> [3] https://www.owasp.org/index.php/Top_10_2013-A1-Injection
>
> On Sun, Sep 21, 2014 at 10:40 PM, Jim Manico <jim.manico at owasp.org
> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>
>> Aloha Community and Leaders,
>>
>> During the many hallway conversations had at AppSec USA in Denver,
>> AppSec nomenclature came up on a number of occasions. I heard several
>> folks claim that the "OWASP Top Ten •Risks•" was mis-named and that
>> the list is not really risks.
>>
>> Is this a fair perspective? What should it be?
>>
>> I am uncertain of this myself and am asking to trigger a intelligent
>> conversation; I in no way wish to harm the many volunteers who have
>> made the various OT10 lists happen.
>>
>> Thoughts?
>>
>> Aloha,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> <javascript:_e(%7B%7D,'cvml','Owasp-topten at lists.owasp.org');>
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>
>
>   _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> <javascript:_e(%7B%7D,'cvml','Owasp-community at lists.owasp.org');>
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>   _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> <javascript:_e(%7B%7D,'cvml','Owasp-community at lists.owasp.org');>
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
>
> _______________________________________________
> Owasp-community mailing listOwasp-community at lists.owasp.org <javascript:_e(%7B%7D,'cvml','Owasp-community at lists.owasp.org');>https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140930/43ff6cc8/attachment.html>


More information about the OWASP-Leaders mailing list