[Owasp-topten] OWASP Top 10 2007 Release Candidate

Nigel Evans Nigel.Evans at commerce.nsw.gov.au
Thu Feb 1 18:11:50 EST 2007


The issue seems to be how to resolve the matter of 'threat' and
'vulnerability'.  The generally accepted definition of risk is that it
is the combination of likelihood of an event and its consequences, if
you factor in all countermeasures the risk turns into 'residual risk',
the implication being that 'risk' actually means 'inherent risk'.  

However, in the ICT security space the security event is also the
combination of vulnerability and attack.  The vulnerability has to be
exploitable to be 'of interest', and an attack needs something to work
on.  A threat is merely a conceivable attack, to be 'of interest' it
needs an exploitable vulnerability.  (I'll ignore the philosophical
issue of whether a vulnerability that is not of interest is a
vulnerability!).

It seems to me that the Top Ten should be addressing the intersection
of historically known attack and exploitable vulnerability, a list of
hundreds could also deal in 'threats'.  The problem is to find a name
for this intersection, of the top of my head  'attack vector' might be a
runner.  

Validation is another word with meanings depending on its use.  The
problem is that its ICT use goes back a long way (for ICT).  It's an
essential component of processable messages and this almost certainly
predates its use for narrow security reasons (although you could argue
that since its purpose has always been integrity it's always been
security even if its appliers didn't see it that way!).

However, modern use for security is somewhat different, and probably
simpler, than multi-level validation used in processable messages (eg
where the content of one data item in a message can determine the
acceptable range of values in another data item, and systems with
primary, secondary and tertiary validation rules).  

Perhaps referring explicitly to 'security validation' solves the
problem.  I'd also agree that after a small allowance for human error,
AKA finger trouble, a security validation failure should terminate the
session.

Rgds

N

>>> Andrew van der Stock <vanderaj at owasp.org> 30/01/07 7:20 am >>>
Hi there,

After a lot of work by me, Jeff and Dave, and comments and inputs from
Raoul
and the list, here finally is the release candidate of the OWASP Top
10
2007! 

As the file is too big, and as we must start transitioning the content
to
the Wiki, here is the placeholder Wiki T10 2007 page:

http://www.owasp.org/index.php/Top_10_2007 

Please download and review. I would like to ensure that all comments
(and
changes) are locked in by February 28, 2007. This unreleased document
MUST
NOT be used in production documentation nor in any standards - it's
not
totally ready yet. 

If you are able to translate this document into other languages (it's
only
35 pages), please let me know ... and make it so! :)

If you know folks at PCI (or are those folks at PCI), please get in
contact
with me so we can start talking over how this changes the PCI DSS.

Thanks,
Andrew


_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org 
http://lists.owasp.org/mailman/listinfo/owasp-topten

******************************************************************************

This email message, including any attached files, is confidential and intended solely for the use of the individual or entity to whom it is addressed. 

The NSW Department of Commerce prohibits the right to publish, 
copy, distribute or disclose any information contained in this email, 
or its attachments, by any party other than the intended recipient. 
If you have received this email in error please notify the sender and delete it from your system.

No employee or agent is authorised to conclude any binding 
agreement on behalf of the NSW Department of Commerce by email. The views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Department, 
except where the sender expressly, and with authority, states them to be the views of NSW Department of Commerce.  

The NSW Department of Commerce accepts no liability for any loss or damage arising from the use of this email and recommends that the recipient check this email and any attached files for the presence of viruses. 

******************************************************************************


More information about the Owasp-topten mailing list