[Owasp-topten] Thoughts on OWASP Top 10 2009 - Round 1

Ralph Durkee rd at rd1.net
Wed Mar 18 14:23:00 EDT 2009


Sounds like a good approach. one small nit, on the impact it would seem we
could discuss much of the technical impact, but I can't think of any
business impact that would be independent of the business. ;->

I really like the idea of having a smaller document and referencing the
OWASP web site for details for the developers.

-- Ralph Durkee


> I finally have gotten a chance to start thinking about the organization
> and structure of the Top 10 update for 2009 and I wanted to share some
> thoughts. So, I have two high level questions/suggestions for you:
>
>
>
> 1)      Top 10 of what? The 2007 version was mostly the top 10 most
> likely to exist vulnerabilities. Previous versions weren't as focused on
> that but still indicated it was a list of the Top 10 vulnerabilities.
>
>
>
> For this version, I think it should be the Top 10 biggest security risks
> to web applications.
>
>
>
> This means that we should consider a number of factors when calculating
> the risk. OWASP has a risk rating model that I think we should use as a
> guide for this
> (http://www.owasp.org/index.php/How_to_value_the_real_risk). However,
> this model includes a number of factors that are very specific to the
> organization evaluating the risk, the threats that organization faces,
> and specifics of the actual vulnerability being assessed.
>
>
>
> I'm not proposing we include and consider all 16 factors from this
> model. But I do think we should consider the following:
>
>
>
> a)      Likelihood of existence of vulnerability (What was the primary
> factor previously).
>
> b)      Ease of discovery
>
> c)       Ease of exploit (OWASP Term)/attack frequency (Used by MITRE
> Top 25 programming flaws) (Do these correlate or are they fundamentally
> different?)
>
> d)      Impact (Both Technical and Business)
>
>
>
> The MITRE Top 25 doc also includes Awareness of that type of
> vulnerability as a factor but I'm thinking if it's in the Top 10,
> everyone is aware of it now, so it's generally not worth
> including/considering, but I could be talked out of this. I recognize
> that this is not always true. CSRF wasn't very well known when we
> released it into the Top 10 in 2007, but it's certainly much more well
> known now.
>
>
>
> 2)      Structure of document - This goes to the audience of the
> document.
>
>
>
> I think the Top 10 items and their brief descriptions is more of a
> management document, than a developer doc. However, the existing doc has
> lots of details for developers making it less useful as a management
> document, but not enough detail to be really useful for developers
> either. Jeff Williams has a suggestion that I like:
>
>
>
> a)      Lets produce a 'small' Top 10 this year, like max 15-20 pp,
> where there are a few pages of intro, 1 page for each item in the Top
> 10, and a couple concluding pages. This would be primarily an awareness
> doc for management and developers.
>
> b)      We should then either produce a larger technical report that
> provides the technical meat for the developers, or simply link to 10
> articles at OWASP on each of the top 10 items that provide the technical
> meant. This would be more detail than what we have in there now.
>
> a.       I think we should do both of these actually. I suggest we write
> the 10 articles at OWASP, and then once they are done and the Top 10 for
> 2009 itself is done, then we can pull all this into a single document.
>
> c)       Both of these docs would be made available as PDFs.
>
>
>
> In a later discussion I want to talk about what should be included in
> each writeup for each Top 10 item, both the short and long versions.
>
>
>
> And also a discussion of the sources of known vulnerabilities we should
> look at to help identify the likelihood of existing factor across more
> than just the MITRE CVE Repository.
>
>
>
> -Dave
>
>
>
>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>




More information about the Owasp-topten mailing list