[Owasp-topten] OWASP Top 10 2007 Release Candidate

Nigel Evans Nigel.Evans at commerce.nsw.gov.au
Thu Feb 1 19:00:50 EST 2007


I think the relationship of the Top 10 to risk is that the list is a
risk treatment.  Stating it semi-formally it deals with the risk that:

'Developers build web applications with vulnerabilities that are
exploited by attackers to the detriment of the application operator and
their clients'.  (I've wimped out on defining 'detriment' for the sake
of brevity)

It treats this risk by informing developers about the top 10 attack
vectors and identifying measures to reduce the most significant
exposures.

Rgds

N

>>> "Endres, Raoul" <endresr at anz.com> 2/02/07 10:31 am >>>
Some ramblings - just to further discussion:

I think it's important to keep in mind the difference between Risk and
Security.

The Top10 should be a Security list -- to make it a Risk list, it
would
need to take into account all manner of variables we cannot know, the
value of the service provided by the application being the prime
example.

Therefore, we should steer clear of Risk if at all possible.

Secondly, let's  also remember that this Top10 comes from
statistical/historical information. I.e.: actual vulnerabilities! So,
are we describing threats that lead to specific vulnerabilities??? In
this case, there would have to be a one-to-one relationship between
threats and vulnerabilities, which is not the case.

I think the idea of an "Attack vector" is really good! We should look
at
how to rewrite the list in terms of attack vectors, while trying to
keep
the original names for the sake of clarity for the reader (this is a
security minded discussion on semantics. Anyone reading the Top10 will
not be aware of the differences between Vulnerabilities and Threats.)


Cheers,
Raoul.

-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org 
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Nigel Evans
Sent: Friday, 2 February 2007 10:12 AM
To: owasp-leaders at lists.owasp.org; owasp-topten at lists.owasp.org;
Andrew
van der Stock
Subject: Re: [Owasp-topten] OWASP Top 10 2007 Release Candidate

The issue seems to be how to resolve the matter of 'threat' and
'vulnerability'.  The generally accepted definition of risk is that it
is the combination of likelihood of an event and its consequences, if
you factor in all countermeasures the risk turns into 'residual risk',
the implication being that 'risk' actually means 'inherent risk'.  

However, in the ICT security space the security event is also the
combination of vulnerability and attack.  The vulnerability has to be
exploitable to be 'of interest', and an attack needs something to work
on.  A threat is merely a conceivable attack, to be 'of interest' it
needs an exploitable vulnerability.  (I'll ignore the philosophical
issue of whether a vulnerability that is not of interest is a
vulnerability!).

It seems to me that the Top Ten should be addressing the intersection
of
historically known attack and exploitable vulnerability, a list of
hundreds could also deal in 'threats'.  The problem is to find a name
for this intersection, of the top of my head  'attack vector' might be
a
runner.  

Validation is another word with meanings depending on its use.  The
problem is that its ICT use goes back a long way (for ICT).  It's an
essential component of processable messages and this almost certainly
predates its use for narrow security reasons (although you could argue
that since its purpose has always been integrity it's always been
security even if its appliers didn't see it that way!).

However, modern use for security is somewhat different, and probably
simpler, than multi-level validation used in processable messages (eg
where the content of one data item in a message can determine the
acceptable range of values in another data item, and systems with
primary, secondary and tertiary validation rules).  

Perhaps referring explicitly to 'security validation' solves the
problem.  I'd also agree that after a small allowance for human error,
AKA finger trouble, a security validation failure should terminate the
session.

Rgds

N

>>> Andrew van der Stock <vanderaj at owasp.org> 30/01/07 7:20 am >>>
Hi there,

After a lot of work by me, Jeff and Dave, and comments and inputs from
Raoul and the list, here finally is the release candidate of the OWASP
Top 10 2007! 

As the file is too big, and as we must start transitioning the content
to the Wiki, here is the placeholder Wiki T10 2007 page:

http://www.owasp.org/index.php/Top_10_2007 

Please download and review. I would like to ensure that all comments
(and
changes) are locked in by February 28, 2007. This unreleased document
MUST NOT be used in production documentation nor in any standards -
it's
not totally ready yet. 

If you are able to translate this document into other languages (it's
only
35 pages), please let me know ... and make it so! :)

If you know folks at PCI (or are those folks at PCI), please get in
contact with me so we can start talking over how this changes the PCI
DSS.

Thanks,
Andrew


_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org 
http://lists.owasp.org/mailman/listinfo/owasp-topten 

************************************************************************
******

This email message, including any attached files, is confidential and
intended solely for the use of the individual or entity to whom it is
addressed. 

The NSW Department of Commerce prohibits the right to publish, copy,
distribute or disclose any information contained in this email, or its
attachments, by any party other than the intended recipient. 
If you have received this email in error please notify the sender and
delete it from your system.

No employee or agent is authorised to conclude any binding agreement
on
behalf of the NSW Department of Commerce by email. The views or
opinions
presented in this email are solely those of the author and do not
necessarily represent those of the Department, except where the sender
expressly, and with authority, states them to be the views of NSW
Department of Commerce.  

The NSW Department of Commerce accepts no liability for any loss or
damage arising from the use of this email and recommends that the
recipient check this email and any attached files for the presence of
viruses. 

************************************************************************
******
_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org 
http://lists.owasp.org/mailman/listinfo/owasp-topten 



"This e-mail and any attachments to it (the "Communication") is, unless
otherwise stated, confidential,  may contain copyright material and is
for the use only of the intended recipient. If you receive the
Communication in error, please notify the sender immediately by return
e-mail, delete the Communication and the return e-mail, and do not read,
copy, retransmit or otherwise deal with it. Any views expressed in the
Communication are those of the individual sender only, unless expressly
stated to be those of Australia and New Zealand Banking Group Limited
ABN 11 005 357 522, or any of its related entities including ANZ
National Bank Limited (together "ANZ"). ANZ does not accept liability in
connection with the integrity of or errors in the Communication,
computer virus, data corruption, interference or delay arising from or
in respect of the Communication."

******************************************************************************

This email message, including any attached files, is confidential and intended solely for the use of the individual or entity to whom it is addressed. 

The NSW Department of Commerce prohibits the right to publish, 
copy, distribute or disclose any information contained in this email, 
or its attachments, by any party other than the intended recipient. 
If you have received this email in error please notify the sender and delete it from your system.

No employee or agent is authorised to conclude any binding 
agreement on behalf of the NSW Department of Commerce by email. The views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Department, 
except where the sender expressly, and with authority, states them to be the views of NSW Department of Commerce.  

The NSW Department of Commerce accepts no liability for any loss or damage arising from the use of this email and recommends that the recipient check this email and any attached files for the presence of viruses. 

******************************************************************************


More information about the Owasp-topten mailing list