[Owasp-topten] OWASP Top 10 2007 Release Candidate

Dinis Cruz dinis at ddplus.net
Thu Feb 1 04:39:43 EST 2007


Hi, I would just add this variation to that Risk calculation

Risk  =  *Threat x Vulnerability*  =    (Impact x Probability) x
Vulnerability    =  (Impact x (# of occurrences / Time period)) x
Vulnerability
                Countermeasure
Countermeasure
Countermeasure

Having Probability in there is very important since you might have Critical
Vulnerabilities which haven't been properly exploited so far.

A very good example are web application hosting environments (which at the
moment just about all run without any type of Sandbox and are not able to
contain malicious code (for example Full Trust in .Net).

Although the vulnerability is critical, there has been barely any
exploitation of it, so the Risk is today very low,

Now if the next week, several major ASP.NET ISPs (who most (if not all))
offer Full Trust accounts, are compromised and several companies get owned
by an attack that is exploiting they run-time environment, the Probability
would dramatically go up, and so would the risk

Other good examples are CSRF , some types of XSS and buffer overflows on the
.Net Framework.

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org

On 2/1/07, PETIT Ludovic <ludovic.petit at fr.sfr.com> wrote:
>
>  Hi all
>
> As soon as the final document will be available, I'll begin to translate
> the Top 10 2007 in French, this in order to give a final translation by the
> end of March for example.
>
> I agree with Raoul about Threats v. Vulnerabilities, because, without to
> raise a debate on semantics, Threat imply an action likely to harm something
> (e.g. the resources
> of a company), Vulnerability corresponding to the level of exposure to the
> threat.
> Anyway, most of the people have heard of XSS.
>
> Wouldn't it be a good idea (that may be too "formal" but it's just a
> suggestion ;-), for instance, to add the following "constant" in the List
>
>         Risk  =  *Threat x Vulnerability*
>                         Countermeasure
>
> because whatever the Top 10 content could be, the equation still remains
> the same for the users.
>
>
> Ludovic
>
> -----Original Message-----
> From: owasp-topten-bounces at lists.owasp.org [
> mailto:owasp-topten-bounces at lists.owasp.org<owasp-topten-bounces at lists.owasp.org>]
> On Behalf Of Andrew van der Stock
> Sent: Monday, January 29, 2007 9:21 PM
> To: owasp-topten at lists.owasp.org; owasp-leaders at lists.owasp.org
> Subject: [Owasp-topten] OWASP Top 10 2007 Release Candidate
>
> Hi there,
>
> After a lot of work by me, Jeff and Dave, and comments and inputs from
> Raoul and the list, here finally is the release candidate of the OWASP Top
> 10 2007!
>
> As the file is too big, and as we must start transitioning the content to
> the Wiki, here is the placeholder Wiki T10 2007 page:
>
> http://www.owasp.org/index.php/Top_10_2007
>
> Please download and review. I would like to ensure that all comments (and
> changes) are locked in by February 28, 2007. This unreleased document MUST
> NOT be used in production documentation nor in any standards - it's not
> totally ready yet.
>
> If you are able to translate this document into other languages (it's only
> 35 pages), please let me know ... and make it so! :)
>
> If you know folks at PCI (or are those folks at PCI), please get in
> contact with me so we can start talking over how this changes the PCI DSS.
>
> Thanks,
> Andrew
>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-topten
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-topten
>
>


--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-topten/attachments/20070201/af0dc580/attachment.html 


More information about the Owasp-topten mailing list