[Owasp-leaders] [Owasp-community] OWASP Top Ten Proactive Controls 3.0 DRAFT

Eoin Keary eoin.keary at owasp.org
Wed Aug 23 09:56:04 UTC 2017


There are 100 of examples of logical weakness with nothing to do with authorisation... some random examples:

Cupon stacking
Currency denomination tampering
Transaction Criteria bypass

None of which could be detected by scanners due to the fact they don't understand context of the parameters.




@eoinkeary
OWASP since 2004!!

> On 23 Aug 2017, at 02:34, Jeff Williams <jeff.williams at owasp.org> wrote:
> 
> I think we should be very careful with this distinction.  First, it doesn't really hold up to scrutiny. Almost every example of logic flaws you can find is actually just an authorization problem that's been in the T10 since 2003.  Second, vendors use this distinction to explain how their tool does everything except business logic -- into which they lump all sorts of things their tool should find.
> 
> --Jeff
> 
> 
>> On Aug 17, 2017, at 2:02 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>> 
>> Hey Katy
>> For #1 can I suggest referring to issues automation can discover as "technical issues/vulnerabilities" and other issues which (currently)don't bode well to automated discovery as "Logical Vulnerabilities". 
>> 
>> - just a thought. I'll read more of it later as I'm on vacation!
>> 
>> 
>> 
>> 
>> @eoinkeary
>> OWASP since 2004!!
>> 
>>> On 17 Aug 2017, at 17:58, Katy Anton <katy.anton at owasp.org> wrote:
>>> 
>>> OWASP Community,
>>> 
>>> Jim Bird, Jim Manico and myself have been working on the OWASP Proactive Controls 3.0 document. 
>>> This is a developer AppSec awareness doc in everyone's favourite art form - a Top Ten list, where we have gone dipper in each of the controls.
>>> 
>>> The doc is currently in draft form and we would love your help and suggestions before our final release. 
>>> Our goal is to make this document brief but helpful to instruct developers to build more secure software.
>>> 
>>> The doc is in "world edit" mode so anyone can make direct comments or edits to the doc, even anonymously. 
>>> 
>>> https://docs.google.com/document/d/1bQKisfXQ2XRwkcUaTvVTR7bpzVgbwIhDA1O6hUbywiY/edit?ts=597378d8&pli=1#
>>> 
>>> Thanks for your help!
>>> 
>>> OWASP Proactive Controls Team  
>>> _______________________________________________
>>> Owasp-community mailing list
>>> Owasp-community at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170823/9555d435/attachment.html>


More information about the OWASP-Leaders mailing list