<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Rahim,<br>
    <br>
    I know you were kidding (Eoin is your boss, ey?) but I want to take
    a moment to point out our code of ethics...<br>
    <br>
<a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics">https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics</a><br>
    <br>
    ...especially:<br>
    <br>
    <meta charset="utf-8">
    <ul style="line-height: 1.5em; list-style-type: disc; margin: 0.3em
      0px 0px 1.6em; padding: 0px; list-style-image:
      url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAANAQMAAABb8jbLAAAABlBMVEX///8AUow5QSOjAAAAAXRSTlMAQObYZgAAABNJREFUCB1jYEABBQw/wLCAgQEAGpIDyT0IVcsAAAAASUVORK5CYII=);
      color: rgb(37, 37, 37); font-family: sans-serif; font-size:
      14.4444446563721px; font-style: normal; font-variant: normal;
      font-weight: normal; letter-spacing: normal; orphans: auto;
      text-align: start; text-indent: 0px; text-transform: none;
      white-space: normal; widows: auto; word-spacing: 0px;
      -webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
      255);">
      <li style="margin-bottom: 0.1em;">Not intentionally injure or
        impugn the professional reputation of practice of colleagues,
        clients, or employers;</li>
      <li style="margin-bottom: 0.1em;">Treat everyone with respect and
        dignity; <br>
      </li>
    </ul>
    <p>I have <u><b>failed here in the past and do not intend to do so
          in the future</b></u>. We have a very passionate and sensitive
      community. All leaders and members need to be aware of this,
      myself included. Especially me and other members of the board...<br>
    </p>
    <p>Rahim, I know you are a man of respect. This topic has been a big
      issue at OWASP as of late and I am trying my best to take our code
      of ethics very seriously.<br>
    </p>
    <p>Aloha Rahim, was great to see you at AppSec USA.<br>
    </p>
    <p>- Jim<br>
      <br>
    </p>
    <br>
    <br>
    <div class="moz-cite-prefix">On 9/21/14, 8:18 PM, Rahim Jina wrote:<br>
    </div>
    <blockquote
      cite="mid:546A14C7-5E59-4E10-8EEC-1EDCB0EB55B9@owasp.org"
      type="cite">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div>Dont try to sugar-coat it Jim</div>
      <div><br>
      </div>
      <div>Eoin's a scriptkiddy through and through<br>
        <br>
        Sent from my iPhone</div>
      <div><br>
        On 21 Sep 2014, at 19:48, Jim Manico <<a
          moz-do-not-send="true" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>>
        wrote:<br>
        <br>
      </div>
      <blockquote type="cite">
        <div>
          <meta content="text/html; charset=UTF-8"
            http-equiv="Content-Type">
          This is no-one to blame for this but the entire industry, the
          problem is systemic and I'm not trying to pick on anyone in
          particular. I am just seeking clarity and I might very well be
          wrong!<br>
          <br>
          So back to Eoin's example, I think the full description would
          be:<br>
          <br>
          You <i><b>exploited</b></i> a <i><b>vulnerability</b></i><i><b>
              in a specific system</b></i> using the <i><b>attack
              pattern of SQL Injection</b></i>. Apparently, there was a
          <b>weakness</b> in the system you were reviewing where query
          parametrization or other defenses were not in place.<br>
          <br>
          Aloha,<br>
          Jim<br>
          <br>
          <br>
          <div class="moz-cite-prefix">On 9/21/14, 7:24 PM, Timur 'x'
            Khrotko (owasp) wrote:<br>
          </div>
          <blockquote
cite="mid:CAKD22CC4EdRoRiypK6D=dpjTb61zV0hWuCjSwTJLmVOMQS9OPw@mail.gmail.com"
            type="cite">
            <div dir="ltr">Jim, I am absolutely with you! 
              <div>The AppSec is ruled by practitioners who does not
                care.)</div>
              <div><br>
              </div>
              <div>Scriptkiddies take down systems with ascii strings
                and without knowing English.<br>
              </div>
              <div><br>
              </div>
              <div>There are software delivery contracts in the wild
                that refer to OT10 as a list of to avoid vulnerabilities
                - that is a problem, which in part grows from undefined
                appsec terms too.</div>
              <div class="gmail_extra"><br clear="all">
                <div>
                  <div dir="ltr">
                    <div><br>
                    </div>
                  </div>
                </div>
                <div class="gmail_quote">On Mon, Sep 22, 2014 at 1:14
                  AM, Jim Manico <span dir="ltr"><<a
                      moz-do-not-send="true"
                      href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                  wrote:<br>
                  <blockquote class="gmail_quote" style="margin:0 0 0
                    .8ex;border-left:1px #ccc solid;padding-left:1ex">
                    <div bgcolor="#FFFFFF" text="#000000"> So per
                      Mitre...<br>
                      <br>
                      You <i><b>exploited</b></i> a <i><b>vulnerability</b></i><i><b>
                          in a specific system</b></i> using the <i><b>attack

                          pattern of SQL Injection</b></i>.<br>
                      <br>
                      Per Mitre, a vulnerability is only specific to a
                      system (hence CVE) and is not a general
                      definition, per my understanding.<br>
                      <br>
                      I know this is pedantic, but so is all
                      nomenclature within complex systems. :)<br>
                      <br>
                      So just for the record, I've seen SQL Injection
                      called a Risk, a Vulnerability, a Attack Pattern
                      and a Weakness in my Sunday readings. Our industry
                      is NOT good at this right now. I'm trying to
                      achieve clarity.<br>
                      <br>
                      Aloha,<br>
                      - Jim
                      <div>
                        <div class="h5"><br>
                          <br>
                          <div>On 9/21/14, 7:04 PM, Eoin Keary wrote:<br>
                          </div>
                          <blockquote type="cite">
                            <div>Jim I've taken down entire financial
                              systems via "or 11".</div>
                            <div>An attack pattern to a vulnerable
                              system. A string of chars to a non
                              vulnerable one.</div>
                            <div><br>
                            </div>
                            <div>I think we are drifting off the point
                              here even though this is interesting.....</div>
                            <div><br>
                              <br>
                              Eoin Keary
                              <div>Owasp Global Board</div>
                              <div><a moz-do-not-send="true"
                                  href="tel:%2B353%2087%20977%202988"
                                  value="+353879772988" target="_blank">+353

                                  87 977 2988</a></div>
                              <div><br>
                              </div>
                            </div>
                            <div><br>
                              On 21 Sep 2014, at 18:57, Jim Manico <<a
                                moz-do-not-send="true"
                                href="mailto:jim.manico@owasp.org"
                                target="_blank">jim.manico@owasp.org</a>>

                              wrote:<br>
                              <br>
                            </div>
                            <blockquote type="cite">
                              <div> Attack patterns, per Mitre, are
                                ABSTRACT descriptions not specific to
                                any product, service or application.
                                Plus your example below is not
                                exploitable in most situations, so I
                                would say no on multiple levels.<br>
                                <br>
                                Here is Mitre's description of SQL
                                Injection as an attack pattern. <a
                                  moz-do-not-send="true"
                                  href="https://capec.mitre.org/data/definitions/66.html"
                                  target="_blank">https://capec.mitre.org/data/definitions/66.html</a><br>
                                <br>
                                I am not saying that Mitre is correct, I
                                am only (trying) to express their
                                perspective here.<br>
                                <br>
                                Aloha,<br>
                                - Jim<br>
                                <br>
                                <br>
                                <br>
                                <br>
                                <div>On 9/21/14, 6:53 PM, Eoin Keary
                                  wrote:<br>
                                </div>
                                <blockquote type="cite">
                                  <div>Jim,</div>
                                  <div>Is setting a username to
                                    "O'Brien" an attack pattern?</div>
                                  <div><br>
                                  </div>
                                  <div><br>
                                    Eoin Keary
                                    <div>Owasp Global Board</div>
                                    <div><a moz-do-not-send="true"
                                        href="tel:%2B353%2087%20977%202988"
                                        value="+353879772988"
                                        target="_blank">+353 87 977 2988</a></div>
                                    <div><br>
                                    </div>
                                  </div>
                                  <div><br>
                                    On 21 Sep 2014, at 17:41, Jim Manico
                                    <<a moz-do-not-send="true"
                                      href="mailto:jim.manico@owasp.org"
                                      target="_blank">jim.manico@owasp.org</a>>



                                    wrote:<br>
                                    <br>
                                  </div>
                                  <blockquote type="cite">
                                    <div> > Attack patterns are only
                                      "attack" if there is a vuln?
                                      Otherwise they are only character
                                      strings? Just sayin<br>
                                      <br>
                                      From what I am reading, Eoin, an
                                      attack pattern (per Mitre) is an
                                      ABSTRACT mechanism to describe how
                                      one would attack a vulnerable
                                      cyber-enabled system.<br>
                                      <br>
                                      A vulnerability would be a
                                      weakness in a specific product or
                                      service.<br>
                                      <br>
                                      This kind of makes sense to me.
                                      I've been reading a lot lately,
                                      and most folks mix these terms in
                                      various ways, hence my confusion.
                                      I get the impression that Mitre is
                                      doing this right, but I'm not 100%
                                      sure.<br>
                                      <br>
                                      Aloha,<br>
                                      Jim<br>
                                      <br>
                                      <br>
                                      <blockquote type="cite">
                                        <div><br>
                                          <br>
                                          Eoin Keary
                                          <div>Owasp Global Board</div>
                                          <div><a moz-do-not-send="true"
href="tel:%2B353%2087%20977%202988" value="+353879772988"
                                              target="_blank">+353 87
                                              977 2988</a></div>
                                          <div><br>
                                          </div>
                                        </div>
                                        <div><br>
                                          On 21 Sep 2014, at 17:35, Jim
                                          Manico <<a
                                            moz-do-not-send="true"
                                            href="mailto:jim.manico@owasp.org"
                                            target="_blank">jim.manico@owasp.org</a>>




                                          wrote:<br>
                                          <br>
                                        </div>
                                        <blockquote type="cite">
                                          <div> Very interesting, Timur
                                            and Eoin. I might be reading
                                            this wrong, but it looks to
                                            me that SQL Injection per
                                            Mitre is an ....<br>
                                            <br>
                                            ... <b>attack pattern</b> <a
                                              moz-do-not-send="true"
                                              href="http://capec.mitre.org/data/definitions/66.html"
                                              target="_blank">http://capec.mitre.org/data/definitions/66.html</a><br>
                                            ... caused by the <b>weakness</b>
                                            of lack of neutralization of
                                            special characters <a
                                              moz-do-not-send="true"
                                              href="http://cwe.mitre.org/data/definitions/89.html"
                                              target="_blank">http://cwe.mitre.org/data/definitions/89.html</a>
                                            <b>[1]</b><br>
                                            ... that <b>effects many
                                              products and services and
                                              makes them vulnerable</b>
                                            <a moz-do-not-send="true"
href="http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html"
                                              target="_blank">http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html</a><br>
                                            <br>
                                            So per Mitre, SQL Injection
                                            would NOT be a
                                            vulnerability, that is
                                            product specific (CVE). SQL
                                            Injection per Mitre seems to
                                            be an attack pattern.<br>
                                            <br>
                                            Per Mitre: <span
style="color:rgb(102,102,88);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:19.2000007629395px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)">An


                                              "attack pattern" is an
                                              abstraction mechanism to
                                              assist in understanding
                                              how an attack against
                                              vulnerable cyber-enabled
                                              capabilities is executed.</span><br>
                                            <br>
                                            So I'm thinking that the
                                            "classic" OWASP Top Ten is
                                            really a mix of attack
                                            patterns (a1, a3, a8, a10)
                                            and weaknesses (a2, a4, a5,
                                            a6, a6, a9).<br>
                                            <br>
                                            •A1 Injection<br>
                                            •A2 Broken Authentication
                                            and Session Management<br>
                                            •A3 Cross-Site Scripting
                                            (XSS)<br>
                                            •A4 Insecure Direct Object
                                            References<br>
                                            •A5 Security
                                            Misconfiguration<br>
                                            •A6 Sensitive Data Exposure<br>
                                            •A7 Missing Function Level
                                            Access Control<br>
                                            •A8 Cross-Site Request
                                            Forgery (CSRF)<br>
                                            •A9 Using Components with
                                            Known Vulnerabilities<br>
                                            •A10 Unvalidated Redirects
                                            and Forwards<br>
                                            <br>
                                            And just to make this more
                                            confusing, Mitre declares
                                            that SQL Injection is a
                                            attack pattern as described
                                            above, but considers sql
                                            injection through hibernate
                                            to be a weakness <a
                                              moz-do-not-send="true"
                                              href="http://cwe.mitre.org/data/definitions/564.html"
                                              target="_blank">http://cwe.mitre.org/data/definitions/564.html</a>
                                            which confuses the issue for
                                            me....<br>
                                            <br>
                                            Aloha,<br>
                                            Jim<br>
                                            <br>
                                            [1] This is not so accurate
                                            (debatable) but that is
                                            besides the point. :) Query
                                            Parametrization does not
                                            neutralize special
                                            characters, it pre-compiles
                                            the query into a query plan
                                            that cannot be modified at
                                            query execution time. :)<br>
                                            <br>
                                            <br>
                                            <br>
                                            <div>On 9/21/14, 5:11 PM,
                                              Timur 'x' Khrotko (owasp)
                                              wrote:<br>
                                            </div>
                                            <blockquote type="cite">
                                              <div dir="ltr">
                                                <div>(vulnerability
                                                  types, meta
                                                  weaknesses)</div>
                                                <div><br>
                                                </div>
                                                <div>We may take the
                                                  MITRE approach in
                                                  order not to invent
                                                  parallel terminology.</div>
                                                <div><br>
                                                </div>
                                                <div><a
                                                    moz-do-not-send="true">https://</a><span
style="background:yellow">cwe</span>.<a moz-do-not-send="true"
                                                    href="http://mitre.org"
                                                    target="_blank">mitre.org</a>
                                                  (weaknesses, vuln
                                                  types, <span
                                                    style="background:yellow">cca</span>
                                                  700 elements)</div>
                                                <div><a
                                                    moz-do-not-send="true">https://</a><span
style="background:yellow">cve</span>.<a moz-do-not-send="true"
                                                    href="http://mitre.org"
                                                    target="_blank">mitre.org</a>
                                                   (vulnerabilities and
                                                  exposures, thousands)</div>
                                                <div><a
                                                    moz-do-not-send="true">https://</a><span
style="background:yellow">capec</span>.<a moz-do-not-send="true"
                                                    href="http://mitre.org"
                                                    target="_blank">mitre.org</a>
                                                  (attack patterns)</div>
                                                <div><br>
                                                </div>
                                                <div><br>
                                                </div>
                                                <div>The top 41 SANS
                                                  "Most Dangerous
                                                  Software Errors"</div>
                                                <div><a
                                                    moz-do-not-send="true">https://</a><span
style="background:yellow">cwe</span>.<a moz-do-not-send="true"
                                                    href="http://mitre.org/top25/index.html"
                                                    target="_blank">mitre.org/top25/index.html</a></div>
                                                <div>+ 16</div>
                                                <div><a
                                                    moz-do-not-send="true">https://</a><span
style="background:yellow">cwe</span>.<a moz-do-not-send="true"
                                                    href="http://mitre.org/top25/archive/2011/2011_"
                                                    target="_blank">mitre.org/top25/archive/2011/2011_</a><span
style="background:yellow">onthecusp</span>.html</div>
                                                <div><br>
                                                </div>
                                                <div class="gmail_extra">
                                                  <div>
                                                    <div dir="ltr">
                                                      <div><br>
                                                      </div>
                                                    </div>
                                                  </div>
                                                  <div
                                                    class="gmail_quote">On

                                                    Sun, Sep 21, 2014 at
                                                    11:04 PM, Eoin Keary
                                                    <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:eoin.keary@owasp.org"
                                                        target="_blank">eoin.keary@owasp.org</a>></span>
                                                    wrote:<br>
                                                    <blockquote
                                                      class="gmail_quote"
                                                      style="margin:0 0
                                                      0
                                                      .8ex;border-left:1px
                                                      #ccc
                                                      solid;padding-left:1ex">Risk

                                                      != vuln<br>
                                                      <br>
                                                      Risk is defined
                                                      as:<br>
                                                      "(Exposure to) the
                                                      possibility of
                                                      loss, injury, or
                                                      other adverse or
                                                      unwelcome
                                                      circumstance; a
                                                      chance or
                                                      situation
                                                      involving such a
                                                      possibility."<br>
                                                      <br>
                                                      The result of a
                                                      weakness being
                                                      leveraged and
                                                      unwelcome
                                                      outcomes.<br>
                                                      <span><font
                                                          color="#888888"><br>
                                                          <br>
                                                          <br>
                                                          Eoin Keary<br>
                                                          Owasp Global
                                                          Board<br>
                                                          <a
                                                          moz-do-not-send="true"
href="tel:%2B353%2087%20977%202988" value="+353879772988"
                                                          target="_blank">+353

                                                          87 977 2988</a><br>
                                                        </font></span>
                                                      <div>
                                                        <div><br>
                                                          <br>
                                                          On 21 Sep
                                                          2014, at
                                                          16:53, Jim
                                                          Manico <<a
moz-do-not-send="true" href="mailto:jim.manico@owasp.org"
                                                          target="_blank">jim.manico@owasp.org</a>>





                                                          wrote:<br>
                                                          <br>
                                                          >> T10
                                                          lists does not
                                                          accurately<br>
                                                          > reflect
                                                          the most
                                                          dangerous
                                                          "risks" or
                                                          that it would
                                                          be better to
                                                          name it<br>
                                                          >
                                                          differently?<br>
                                                          ><br>
                                                          > The
                                                          commentary
                                                          that I
                                                          received was
                                                          that the term
                                                          "risk" did not<br>
                                                          > actually
                                                          reflect the
                                                          items on the
                                                          lists. Folks
                                                          have told me
                                                          it should<br>
                                                          > be
                                                          "vulnerabilities"
                                                          or "attacks"
                                                          or
                                                          "weaknesses"
                                                          and more.<br>
                                                          ><br>
                                                          > I'm not
                                                          sure what the
                                                          right answer
                                                          is here...<br>
                                                          ><br>
                                                          > Aloha,<br>
                                                          > --<br>
                                                          > Jim
                                                          Manico<br>
                                                          > @Manicode<br>
                                                          > (808)
                                                          652-3805<br>
                                                          ><br>
                                                          >> On
                                                          Sep 21, 2014,
                                                          at 4:50 PM,
                                                          Tobias <<a
moz-do-not-send="true" href="mailto:tobias.gondrom@owasp.org"
                                                          target="_blank">tobias.gondrom@owasp.org</a>>





                                                          wrote:<br>
                                                          >><br>
                                                          >> T10
                                                          lists does not
                                                          accurately<br>
                                                          >>
                                                          reflect the
                                                          most dangerous
                                                          "risks" or
                                                          that it would
                                                          be better to
                                                          name it<br>
                                                          >>
                                                          differently?<br>
                                                          >
                                                          _______________________________________________<br>
                                                          >
                                                          OWASP-Leaders
                                                          mailing list<br>
                                                          > <a
                                                          moz-do-not-send="true"
href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                                          > <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                                          target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
_______________________________________________<br>
                                                          OWASP-Leaders
                                                          mailing list<br>
                                                          <a
                                                          moz-do-not-send="true"
href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                                          target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                                        </div>
                                                      </div>
                                                    </blockquote>
                                                  </div>
                                                  <br>
                                                </div>
                                              </div>
                                              <br>
                                              <div><font color="#66cccc"
                                                  face="times new roman,
                                                  serif" size="1">Email
                                                  us to enforce secure
                                                  link with your mail
                                                  servers (domain).</font></div>
                                              <span>This message may
                                                contain confidential
                                                information - you should
                                                handle it accordingly.</span><br>
                                              <span>Ez a levél bizalmas
                                                információt
                                                tartalmazhat, és ekként
                                                kezelendő.</span> </blockquote>
                                            <br>
                                          </div>
                                        </blockquote>
                                      </blockquote>
                                      <br>
                                    </div>
                                  </blockquote>
                                </blockquote>
                                <br>
                              </div>
                            </blockquote>
                          </blockquote>
                          <br>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                </div>
                <br>
              </div>
            </div>
            <br>
            <div><font color="#66cccc" face="times new roman, serif"
                size="1">Email us to enforce secure link with your mail
                servers (domain).</font></div>
            <span style="font-family:'times new
roman',serif;font-size:x-small;background-color:rgb(255,255,255);color:rgb(102,204,204)">This

              message may contain confidential information - you should
              handle it accordingly.</span><br>
            <span style="font-family:'times new
roman',serif;font-size:x-small;color:rgb(102,204,204);background-color:rgb(255,255,255)">Ez

              a levél bizalmas információt tartalmazhat, és ekként
              kezelendő.</span> </blockquote>
          <br>
        </div>
      </blockquote>
      <blockquote type="cite">
        <div><span>_______________________________________________</span><br>
          <span>Owasp-community mailing list</span><br>
          <span><a moz-do-not-send="true"
              href="mailto:Owasp-community@lists.owasp.org">Owasp-community@lists.owasp.org</a></span><br>
          <span><a moz-do-not-send="true"
              href="https://lists.owasp.org/mailman/listinfo/owasp-community">https://lists.owasp.org/mailman/listinfo/owasp-community</a></span><br>
        </div>
      </blockquote>
    </blockquote>
    <br>
  </body>
</html>