[Owasp-topten] OWASP Top 10 2007 Release Candidate

Endres, Raoul endresr at anz.com
Thu Feb 1 18:31:36 EST 2007

Some ramblings - just to further discussion:

I think it's important to keep in mind the difference between Risk and

The Top10 should be a Security list -- to make it a Risk list, it would
need to take into account all manner of variables we cannot know, the
value of the service provided by the application being the prime

Therefore, we should steer clear of Risk if at all possible.

Secondly, let's  also remember that this Top10 comes from
statistical/historical information. I.e.: actual vulnerabilities! So,
are we describing threats that lead to specific vulnerabilities??? In
this case, there would have to be a one-to-one relationship between
threats and vulnerabilities, which is not the case.

I think the idea of an "Attack vector" is really good! We should look at
how to rewrite the list in terms of attack vectors, while trying to keep
the original names for the sake of clarity for the reader (this is a
security minded discussion on semantics. Anyone reading the Top10 will
not be aware of the differences between Vulnerabilities and Threats.)


-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Nigel Evans
Sent: Friday, 2 February 2007 10:12 AM
To: owasp-leaders at lists.owasp.org; owasp-topten at lists.owasp.org; Andrew
van der Stock
Subject: Re: [Owasp-topten] OWASP Top 10 2007 Release Candidate

The issue seems to be how to resolve the matter of 'threat' and
'vulnerability'.  The generally accepted definition of risk is that it
is the combination of likelihood of an event and its consequences, if
you factor in all countermeasures the risk turns into 'residual risk',
the implication being that 'risk' actually means 'inherent risk'.  

However, in the ICT security space the security event is also the
combination of vulnerability and attack.  The vulnerability has to be
exploitable to be 'of interest', and an attack needs something to work
on.  A threat is merely a conceivable attack, to be 'of interest' it
needs an exploitable vulnerability.  (I'll ignore the philosophical
issue of whether a vulnerability that is not of interest is a

It seems to me that the Top Ten should be addressing the intersection of
historically known attack and exploitable vulnerability, a list of
hundreds could also deal in 'threats'.  The problem is to find a name
for this intersection, of the top of my head  'attack vector' might be a

Validation is another word with meanings depending on its use.  The
problem is that its ICT use goes back a long way (for ICT).  It's an
essential component of processable messages and this almost certainly
predates its use for narrow security reasons (although you could argue
that since its purpose has always been integrity it's always been
security even if its appliers didn't see it that way!).

However, modern use for security is somewhat different, and probably
simpler, than multi-level validation used in processable messages (eg
where the content of one data item in a message can determine the
acceptable range of values in another data item, and systems with
primary, secondary and tertiary validation rules).  

Perhaps referring explicitly to 'security validation' solves the
problem.  I'd also agree that after a small allowance for human error,
AKA finger trouble, a security validation failure should terminate the



>>> Andrew van der Stock <vanderaj at owasp.org> 30/01/07 7:20 am >>>
Hi there,

After a lot of work by me, Jeff and Dave, and comments and inputs from
Raoul and the list, here finally is the release candidate of the OWASP
Top 10 2007! 

As the file is too big, and as we must start transitioning the content
to the Wiki, here is the placeholder Wiki T10 2007 page:


Please download and review. I would like to ensure that all comments
changes) are locked in by February 28, 2007. This unreleased document
MUST NOT be used in production documentation nor in any standards - it's
not totally ready yet. 

If you are able to translate this document into other languages (it's
35 pages), please let me know ... and make it so! :)

If you know folks at PCI (or are those folks at PCI), please get in
contact with me so we can start talking over how this changes the PCI


Owasp-topten mailing list
Owasp-topten at lists.owasp.org


This email message, including any attached files, is confidential and
intended solely for the use of the individual or entity to whom it is

The NSW Department of Commerce prohibits the right to publish, copy,
distribute or disclose any information contained in this email, or its
attachments, by any party other than the intended recipient. 
If you have received this email in error please notify the sender and
delete it from your system.

No employee or agent is authorised to conclude any binding agreement on
behalf of the NSW Department of Commerce by email. The views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of the Department, except where the sender
expressly, and with authority, states them to be the views of NSW
Department of Commerce.  

The NSW Department of Commerce accepts no liability for any loss or
damage arising from the use of this email and recommends that the
recipient check this email and any attached files for the presence of

Owasp-topten mailing list
Owasp-topten at lists.owasp.org

"This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential,  may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ National Bank Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication."

More information about the Owasp-topten mailing list