[Owasp-topten] Thoughts on OWASP Top 10 2009 - Round 1

Dave Wichers dave.wichers at aspectsecurity.com
Wed Mar 18 14:00:59 EDT 2009

I finally have gotten a chance to start thinking about the organization
and structure of the Top 10 update for 2009 and I wanted to share some
thoughts. So, I have two high level questions/suggestions for you:


1)      Top 10 of what? The 2007 version was mostly the top 10 most
likely to exist vulnerabilities. Previous versions weren't as focused on
that but still indicated it was a list of the Top 10 vulnerabilities.


For this version, I think it should be the Top 10 biggest security risks
to web applications.


This means that we should consider a number of factors when calculating
the risk. OWASP has a risk rating model that I think we should use as a
guide for this
(http://www.owasp.org/index.php/How_to_value_the_real_risk). However,
this model includes a number of factors that are very specific to the
organization evaluating the risk, the threats that organization faces,
and specifics of the actual vulnerability being assessed.


I'm not proposing we include and consider all 16 factors from this
model. But I do think we should consider the following:


a)      Likelihood of existence of vulnerability (What was the primary
factor previously).

b)      Ease of discovery

c)       Ease of exploit (OWASP Term)/attack frequency (Used by MITRE
Top 25 programming flaws) (Do these correlate or are they fundamentally

d)      Impact (Both Technical and Business)


The MITRE Top 25 doc also includes Awareness of that type of
vulnerability as a factor but I'm thinking if it's in the Top 10,
everyone is aware of it now, so it's generally not worth
including/considering, but I could be talked out of this. I recognize
that this is not always true. CSRF wasn't very well known when we
released it into the Top 10 in 2007, but it's certainly much more well
known now.


2)      Structure of document - This goes to the audience of the


I think the Top 10 items and their brief descriptions is more of a
management document, than a developer doc. However, the existing doc has
lots of details for developers making it less useful as a management
document, but not enough detail to be really useful for developers
either. Jeff Williams has a suggestion that I like:


a)      Lets produce a 'small' Top 10 this year, like max 15-20 pp,
where there are a few pages of intro, 1 page for each item in the Top
10, and a couple concluding pages. This would be primarily an awareness
doc for management and developers.

b)      We should then either produce a larger technical report that
provides the technical meat for the developers, or simply link to 10
articles at OWASP on each of the top 10 items that provide the technical
meant. This would be more detail than what we have in there now.

a.       I think we should do both of these actually. I suggest we write
the 10 articles at OWASP, and then once they are done and the Top 10 for
2009 itself is done, then we can pull all this into a single document.

c)       Both of these docs would be made available as PDFs.


In a later discussion I want to talk about what should be included in
each writeup for each Top 10 item, both the short and long versions.


And also a discussion of the sources of known vulnerabilities we should
look at to help identify the likelihood of existing factor across more
than just the MITRE CVE Repository.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20090318/1b09461a/attachment.html 

More information about the Owasp-topten mailing list