[Owasp-leaders] OWASP Top 2017 - Data Call

Dave Wichers dave.wichers at owasp.org
Thu Jun 23 18:43:26 UTC 2016


Hey Colin,

I just saw your new paper today. I definitely want to review it. At first
glance, looks like good stuff!

You ask about the Top 11+. There is a little known section of the Top 10 on
this page:
https://www.owasp.org/index.php/Top_10_2013-Details_About_Risk_Factors
called: Additional Risks to Consider.  (This content probably deserves its
own page). It lists 10+ other risks that were considered for the Top 10,
and one of them is: Insufficient Anti-automation, which I believe is the
proper defense against what you are concerned about here. Denial of Service
is on that list too.

-Dave



On Thu, Jun 23, 2016 at 12:01 PM, Colin Watson <colin.watson at owasp.org>
wrote:

> Dave/Top Ten project
>
> Related to the recent post to the leader's list about a vendor paper...
>
> There is a significant body of knowledge about application vulnerability
> types, and some general consensus about identification and naming. But
> issues relating to the misuse of valid functionality (which may be caused
> by design flaws rather than implementation bugs) are less well defined.
> Yet these problems are seen day-in, day-out by web application owners.
> Excessive abuse of functionality is commonly misreported as application
> denial-of-service (DoS) attacks, such as HTTP flooding or application
> resource exhaustion, when in fact the DoS is a side-effect. Most of these
> problems seen regularly by web application owners are not listed in any
> OWASP Top Ten or in any other top issue list or dictionary.
>
> Thus why the "OWASP Automated `Threats to Web Applications" project was
> created. It is not a "Top X" list, but we wonder if something like "Misuse
> of functionality" might be a candidate threat? I don't know what the top
> 11-25 were that didn't make it into the top 10 in 2013, but it would be
> nice to know.
>
> I am not sure many web application pen test data sources will document
> these vulnerabilities as report findings, despite some of the automated
> threats being the most time-consuming operational threats to web
> applications, based on conversations with web app owners and operators.
>
> Regards
>
> Colin Watson
> OWASP Automated Threats to Web Applications project leader
>
> https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
>
>
>
>
>>
>> While diversity is always a concern, I think the project is well known
>> enough that diversity won't be a problem. If, after 45 days or so, we don't
>> see the kind of diversity we're expecting, we might specifically reach out
>> to sources in different communities to get the diversity we are looking for.
>>
>>
>>
>> And to be clear, we are looking for vulnerability data, not attack data.
>> At least with this data call. If people want to submit attack data that
>> would be interesting as well, and that info could be used to help us
>> calculate the likelihood of (successful) attack. But that's a different
>> angle from the likelihood of having a vuln in the first place.  We actually
>> discussed during the last top 10 update if there were any good sources of
>> attack data, and we couldn't come up with any then. Maybe we can now?
>>
>>
>>
>> -Dave
>>
>>
>>
>>
>>
>> On Sat, May 21, 2016 at 5:25 PM, Tony UV <tonyuv at owasp.org> wrote:
>>
>> Instead of an open call, how about the following.  Open calls for data
>> places the level of involvement on the respondent/participant and if there
>> isn't a diversity in involvement then the data and hence the project
>> suffers.
>>
>>
>>
>> Let's map out who is seeing payloads in web requests and ping them for
>> their data. Vendors in the following space may have logs related to
>> malicious http requests. These vendors include makers of WAFs, Sec
>> researchers managing honeypots, IPS manufacturers whose researchers author
>> web based signatures, even makers of agent based defensive SW that also
>> have signatures related to web based attacks.   These would be data points
>> from infrastructure and makers of 'defender' type systems.  Next we could
>> have another data set from those managing infrastructures in FI, banking,
>> Federal, Higher Ed, Retail, info services, etc. getting logs from their
>> SIEMs, can allow us to get logs from practioners.  If they are concerned
>> about privacy, we can say that their participation can serve as a project
>> sponsorship and comp them two tickets to regional APPSEC.  Also we can be
>> transparent with the methodology on how we collect and use their data.  In
>> reality privacy is really not a factor as most of the legit and malicious
>> http payloads won't be carrying PII.  We can take both vendor product and
>> Practioner data and through it up to SumoLogic free instance and run data
>> analytics against all collected patterns. Sumo has the abilities to has the
>> ability to hash values from any part of the web request so we can solicit
>> that in case practioners offering Practioner data are worried about their
>> collected web requests revealing any info to OWASP project volunteers.
>>
>>
>>
>> I think that the OWASP Top Ten can finally get an industry support in the
>> form of diversified data. I think the way to do this is to solicit requests
>> and 'sell' participation.  Volunteers from the project and new recruits can
>> have different tasks of recruiting practitioners, tech companies to support
>> with data contributions or reviewing the data over a free SaaS based data
>> analytics engine. If left as a call for data, versus project leaders or new
>> volunteers from OWASP pursuing active data contributions, we may be looking
>> at less diversified data points.  I would think this more aggressive model
>> for data inclusion would actually help to make the project even more
>> marketable.
>>
>>
>>
>> My 0.03.
>>
>>
>>
>> Tony UV
>>
>>
>>
>>
>>
>> Get Outlook for iOS <https://aka.ms/o0ukef>
>>
>>
>>
>>
>>
>> On Sat, May 21, 2016 at 12:32 PM -0700, "Jonathan Carter" <
>> jonathan.carter at owasp.org> wrote:
>>
>> In the mobile top 10, we had challenges around diversity of data sources.
>> Is there a plan for who to try and pull in?
>>
>>
>>
>> On May 21, 2016, at 12:04 PM, Michael Coates <michael.coates at owasp.org>
>> wrote:
>>
>> This is great stuff! Love the open call for data and publishing all the
>> provided info. I imagine they'll be some very interesting data mining of
>> submitted data in addition to the aggregate top 10 results.
>>
>>
>>
>> I spread the word on Twitter too
>>
>> https://twitter.com/_mwc/status/734091285787643904
>>
>>
>>
>> On Friday, May 20, 2016, Dave Wichers <dave.wichers at owasp.org> wrote:
>>
>> Wouldn't you know it, a have a typo right in the title of my email :-).
>> This is obviously a data call for the next update to the OWASP Top 10,
>> which is expected to be released in 2017. Looking forward to your input.
>>
>>
>>
>> -Dave
>>
>>
>>
>> On Fri, May 20, 2016 at 10:31 PM, <dave.wichers at owasp.org> wrote:
>>
>> The OWASP Top 10 project is launching its effort to update the Top 10
>> again. The current version was released in 2013, and so this update is
>> expected to be the 2016 or more likely 2017 release. This time around, we
>> are making an open data call so anyone with application vulnerability
>> statistics can contribute their data to the project. To make it easier for
>> the project to consume this contributed data, we are requesting it be
>> provided via this Google form.
>>
>> DEADLINE: Data must be submitted by July 20, 2016.
>>
>> As an OWASP project, we strive to make everything about every project as
>> open as possible. For this release of the Top 10, we are going to publish
>> all the contributed data so that anyone can review it to understand what
>> input was considered to produce this update, and for other uses as well. We
>> could imagine other groups/projects making use of this data for other
>> reasons, so we believe publishing this data will have multiple benefits.
>>
>> WARNING: You acknowledge that by contributing data to this update of the
>> Top 10, that you authorize its publication. DO NOT CONTRIBUTE anything you
>> don’t want to become public.
>>
>> Guidance on what data we are looking for:
>>
>> We are looking for web application vulnerability statistics collected by
>> your organization:
>> • In web applications you assessed.
>> • During the years 2014, 2015, or both.
>> • These vulnerabilities can be in the code itself, the libraries the
>> applications use, or in the configuration of the environment the
>> applications run in.
>>
>> We are NOT interested in OS, or network level vulnerabilities. We ARE
>> interested in vulnerabilities in any SQL code running in any databases that
>> back the applications being assessed and the database accounts used to run
>> this code, but are generally NOT interested in security issues in the
>> configuration of the database server itself.
>>
>> Use your best judgment here to try to keep the data submitted relevant to
>> the project. If you have a question or aren’t sure, just ask us for
>> clarification.
>>
>> There are 5 pages of questions, most of which are very short. The long
>> one is page 4, which asks for all the vulnerability statistics. If you
>> prefer, you can send your answers to the questions on page 4 via email to
>> dave.wichers at owasp.org but please submit the rest of your input via this
>> Google form.
>>
>> I've invited you to fill out the form *OWASP Top 10 - 2016 Data Call*.
>> To fill it out, visit:
>>
>> https://docs.google.com/forms/d/1sBMHN5nBicjr5xSo04xkdP5JlCnXFcKFCgEHjwPGuLw/viewform?c=0&w=1&usp=mail_form_link
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>
>> --
>>
>>
>> --
>> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
>>
>> OWASP Global Board
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________ OWASP-Leaders mailing
>> list OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160623/cccd72b7/attachment-0001.html>


More information about the OWASP-Leaders mailing list