[Owasp-leaders] OWASP Top 2017 - Data Call

Colin Watson colin.watson at owasp.org
Thu Jun 23 20:08:54 UTC 2016


Dave

Thank you for the pointer to "additional risks to consider". WASC-21
Insufficient Anti-Automation covers most of the threats. In the Automated
Threat Handbook, there is a diagram "Figure 5: WASC Threat Classification
view of the Automated Threat Events" which tries to show this.

Maybe your and other people's experience is different, but I see very few
organisations testing or validating these risks do not exist.

Good luck for the next Top 10!

Colin




On 23 June 2016 at 19:43, Dave Wichers <dave.wichers at owasp.org> wrote:

> Hey Colin,
>
> I just saw your new paper today. I definitely want to review it. At first
> glance, looks like good stuff!
>
> You ask about the Top 11+. There is a little known section of the Top 10
> on this page:
> https://www.owasp.org/index.php/Top_10_2013-Details_About_Risk_Factors
> called: Additional Risks to Consider.  (This content probably deserves its
> own page). It lists 10+ other risks that were considered for the Top 10,
> and one of them is: Insufficient Anti-automation, which I believe is the
> proper defense against what you are concerned about here. Denial of Service
> is on that list too.
>
> -Dave
>
>
>
> On Thu, Jun 23, 2016 at 12:01 PM, Colin Watson <colin.watson at owasp.org>
> wrote:
>
>> Dave/Top Ten project
>>
>> Related to the recent post to the leader's list about a vendor paper...
>>
>> There is a significant body of knowledge about application vulnerability
>> types, and some general consensus about identification and naming. But
>> issues relating to the misuse of valid functionality (which may be caused
>> by design flaws rather than implementation bugs) are less well defined.
>> Yet these problems are seen day-in, day-out by web application owners.
>> Excessive abuse of functionality is commonly misreported as application
>> denial-of-service (DoS) attacks, such as HTTP flooding or application
>> resource exhaustion, when in fact the DoS is a side-effect. Most of these
>> problems seen regularly by web application owners are not listed in any
>> OWASP Top Ten or in any other top issue list or dictionary.
>>
>> Thus why the "OWASP Automated `Threats to Web Applications" project was
>> created. It is not a "Top X" list, but we wonder if something like "Misuse
>> of functionality" might be a candidate threat? I don't know what the top
>> 11-25 were that didn't make it into the top 10 in 2013, but it would be
>> nice to know.
>>
>> I am not sure many web application pen test data sources will document
>> these vulnerabilities as report findings, despite some of the automated
>> threats being the most time-consuming operational threats to web
>> applications, based on conversations with web app owners and operators.
>>
>> Regards
>>
>> Colin Watson
>> OWASP Automated Threats to Web Applications project leader
>>
>>
>> https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
>>
>>
>>
>>
>>>
>>> While diversity is always a concern, I think the project is well known
>>> enough that diversity won't be a problem. If, after 45 days or so, we don't
>>> see the kind of diversity we're expecting, we might specifically reach out
>>> to sources in different communities to get the diversity we are looking for.
>>>
>>>
>>>
>>> And to be clear, we are looking for vulnerability data, not attack data.
>>> At least with this data call. If people want to submit attack data that
>>> would be interesting as well, and that info could be used to help us
>>> calculate the likelihood of (successful) attack. But that's a different
>>> angle from the likelihood of having a vuln in the first place.  We actually
>>> discussed during the last top 10 update if there were any good sources of
>>> attack data, and we couldn't come up with any then. Maybe we can now?
>>>
>>>
>>>
>>> -Dave
>>>
>>>
>>>
>>>
>>>
>>> On Sat, May 21, 2016 at 5:25 PM, Tony UV <tonyuv at owasp.org> wrote:
>>>
>>> Instead of an open call, how about the following.  Open calls for data
>>> places the level of involvement on the respondent/participant and if there
>>> isn't a diversity in involvement then the data and hence the project
>>> suffers.
>>>
>>>
>>>
>>> Let's map out who is seeing payloads in web requests and ping them for
>>> their data. Vendors in the following space may have logs related to
>>> malicious http requests. These vendors include makers of WAFs, Sec
>>> researchers managing honeypots, IPS manufacturers whose researchers author
>>> web based signatures, even makers of agent based defensive SW that also
>>> have signatures related to web based attacks.   These would be data points
>>> from infrastructure and makers of 'defender' type systems.  Next we could
>>> have another data set from those managing infrastructures in FI, banking,
>>> Federal, Higher Ed, Retail, info services, etc. getting logs from their
>>> SIEMs, can allow us to get logs from practioners.  If they are concerned
>>> about privacy, we can say that their participation can serve as a project
>>> sponsorship and comp them two tickets to regional APPSEC.  Also we can be
>>> transparent with the methodology on how we collect and use their data.  In
>>> reality privacy is really not a factor as most of the legit and malicious
>>> http payloads won't be carrying PII.  We can take both vendor product and
>>> Practioner data and through it up to SumoLogic free instance and run data
>>> analytics against all collected patterns. Sumo has the abilities to has the
>>> ability to hash values from any part of the web request so we can solicit
>>> that in case practioners offering Practioner data are worried about their
>>> collected web requests revealing any info to OWASP project volunteers.
>>>
>>>
>>>
>>> I think that the OWASP Top Ten can finally get an industry support in
>>> the form of diversified data. I think the way to do this is to solicit
>>> requests and 'sell' participation.  Volunteers from the project and new
>>> recruits can have different tasks of recruiting practitioners, tech
>>> companies to support with data contributions or reviewing the data over a
>>> free SaaS based data analytics engine. If left as a call for data, versus
>>> project leaders or new volunteers from OWASP pursuing active data
>>> contributions, we may be looking at less diversified data points.  I would
>>> think this more aggressive model for data inclusion would actually help to
>>> make the project even more marketable.
>>>
>>>
>>>
>>> My 0.03.
>>>
>>>
>>>
>>> Tony UV
>>>
>>>
>>>
>>>
>>>
>>> Get Outlook for iOS <https://aka.ms/o0ukef>
>>>
>>>
>>>
>>>
>>>
>>> On Sat, May 21, 2016 at 12:32 PM -0700, "Jonathan Carter" <
>>> jonathan.carter at owasp.org> wrote:
>>>
>>> In the mobile top 10, we had challenges around diversity of data
>>> sources. Is there a plan for who to try and pull in?
>>>
>>>
>>>
>>> On May 21, 2016, at 12:04 PM, Michael Coates <michael.coates at owasp.org>
>>> wrote:
>>>
>>> This is great stuff! Love the open call for data and publishing all the
>>> provided info. I imagine they'll be some very interesting data mining of
>>> submitted data in addition to the aggregate top 10 results.
>>>
>>>
>>>
>>> I spread the word on Twitter too
>>>
>>> https://twitter.com/_mwc/status/734091285787643904
>>>
>>>
>>>
>>> On Friday, May 20, 2016, Dave Wichers <dave.wichers at owasp.org> wrote:
>>>
>>> Wouldn't you know it, a have a typo right in the title of my email :-).
>>> This is obviously a data call for the next update to the OWASP Top 10,
>>> which is expected to be released in 2017. Looking forward to your input.
>>>
>>>
>>>
>>> -Dave
>>>
>>>
>>>
>>> On Fri, May 20, 2016 at 10:31 PM, <dave.wichers at owasp.org> wrote:
>>>
>>> The OWASP Top 10 project is launching its effort to update the Top 10
>>> again. The current version was released in 2013, and so this update is
>>> expected to be the 2016 or more likely 2017 release. This time around, we
>>> are making an open data call so anyone with application vulnerability
>>> statistics can contribute their data to the project. To make it easier for
>>> the project to consume this contributed data, we are requesting it be
>>> provided via this Google form.
>>>
>>> DEADLINE: Data must be submitted by July 20, 2016.
>>>
>>> As an OWASP project, we strive to make everything about every project as
>>> open as possible. For this release of the Top 10, we are going to publish
>>> all the contributed data so that anyone can review it to understand what
>>> input was considered to produce this update, and for other uses as well. We
>>> could imagine other groups/projects making use of this data for other
>>> reasons, so we believe publishing this data will have multiple benefits.
>>>
>>> WARNING: You acknowledge that by contributing data to this update of the
>>> Top 10, that you authorize its publication. DO NOT CONTRIBUTE anything you
>>> don’t want to become public.
>>>
>>> Guidance on what data we are looking for:
>>>
>>> We are looking for web application vulnerability statistics collected by
>>> your organization:
>>> • In web applications you assessed.
>>> • During the years 2014, 2015, or both.
>>> • These vulnerabilities can be in the code itself, the libraries the
>>> applications use, or in the configuration of the environment the
>>> applications run in.
>>>
>>> We are NOT interested in OS, or network level vulnerabilities. We ARE
>>> interested in vulnerabilities in any SQL code running in any databases that
>>> back the applications being assessed and the database accounts used to run
>>> this code, but are generally NOT interested in security issues in the
>>> configuration of the database server itself.
>>>
>>> Use your best judgment here to try to keep the data submitted relevant
>>> to the project. If you have a question or aren’t sure, just ask us for
>>> clarification.
>>>
>>> There are 5 pages of questions, most of which are very short. The long
>>> one is page 4, which asks for all the vulnerability statistics. If you
>>> prefer, you can send your answers to the questions on page 4 via email to
>>> dave.wichers at owasp.org but please submit the rest of your input via
>>> this Google form.
>>>
>>> I've invited you to fill out the form *OWASP Top 10 - 2016 Data Call*.
>>> To fill it out, visit:
>>>
>>> https://docs.google.com/forms/d/1sBMHN5nBicjr5xSo04xkdP5JlCnXFcKFCgEHjwPGuLw/viewform?c=0&w=1&usp=mail_form_link
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>> --
>>> Michael Coates | @_mwc
>>> <https://twitter.com/intent/user?screen_name=_mwc>
>>>
>>> OWASP Global Board
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________ OWASP-Leaders mailing
>>> list OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160623/899645b0/attachment-0001.html>


More information about the OWASP-Leaders mailing list