[Owasp-topten] Re: [OWASP-LEADERS] Apologies

Andrew van der Stock vanderaj at greebo.net
Fri Aug 19 13:39:24 EDT 2005


Thank you for your efforts on this and all the other projects you've  
had a hand in over the last five years. Without you, there would be  

Do you have the draft strawman version of the T10 revision you spoke  
of in recent posts?

Ed (and the rest of the Top 10 gang),

I think Ed has a good idea to regroup and have a small team of people  
responsible for this project. After my experience with the Guide,  
having a single "vision" of where things need to go really helps  
produce a focussed deliverable. Saying that, once the planning and  
whatnot is done, still work publicly and openly. There are many  
people who are willing to help who do not live near DC.

My suggestions for the group to make a great Top 10:

a) Revisit bugtraq and analyze this year's vulnerabilities. Nothing  
beats real data. This is the Top 10 after all. Be clear on  
vulnerabilities versus threats versus countermeasures... Top 10  
should be about vulnerabilities leading to actual business loss.

b) Use the STRIDE / DREAD or CVSS scoring system against (a) to  
determine which ones really are important. My view is that where a  
vulnerability may lead to actual financial loss or expensive  
restoration of service (ie remote system compromises) are far more  
important and should be closer to the top. Once you have the top 10  
vulnerabilities sorted from (a), have a discussion on the relative  
ouchiness of each and order appropriately.

c) Discuss how you can determine if each of the vulnerabilities is  
testable using an automated scanner or prevented automatically from a  
WAF. If any of them are not so treatable, make sure you include  
language in the document stating this. Talk to owasp-leaders about  
including some strong wording to prevent vendors and users from mis- 
using or abusing this list. But my strong view is that the  
vulnerabilities should be testable and preventable where possible.

At this point, you'll be ready to write the Top 10.

Please note that the OWASP Top 10 is referenced in at least one  
enforceable standard (the PCI Guidelines). They are a major  
"customer". Please liaise with them to ensure that the revised Top 10  
is still useful to them. This means that you need to be very precise  
in your language, particularly in the "how to detect" and "how to  
fix" areas. If there are a range of resolutions or risk management  
applies, this should be clearly stated.

Lastly, in my view - major headings should be positive or neutral.  
All the things in the Top 10 are bad, so there's no reason to have 10  
negatives appear in the TOC. Try "Data validation", "Session  
Management", "Configuration", etc instead of "Broken this", "Brain  
dead that". We should have positive solutions for all of the things  
which are included. This simply works better with human nature. Many  
audits against OWASP Top 10 reports read like a cheesy 1970's  
disaster flick due to the scary titles, and I don't think we should  
perpetuate this myth. We should secure business if they want help,  
not scare them.


More information about the Owasp-topten mailing list