[Owasp-topten] Thoughts on OWASP Top 10 2009 - Round 1

Steven M. Christey coley at linus.mitre.org
Wed Mar 18 18:26:55 EDT 2009

[resent; apparently a variant of my e-mail wasn't subscribed to the list.
sorry for duplicates]

On Wed, 18 Mar 2009, Dave Wichers wrote:

> c)       Ease of exploit (OWASP Term)/attack frequency (Used by MITRE
> Top 25 programming flaws) (Do these correlate or are they fundamentally
> different?)

Actually, for deciding membership on the Top 25, we used an informal
combination of prevalence within code, along with severity (what I think
you're calling impact).  Factors such as ease-of-exploit and awareness
were originally considered, but they didn't directly factor into the
decision to include an item on the list. They are listed as decision aids
to people reading the Top 25, so they can prioritize what to tackle first.

Note that severity can change depending on context, and prevalence numbers
aren't easily available (especially in the lower-level CWE "weakness"

The eventual definition of a "skilled and determined" threat agent, along
with vague notions of risk tolerance, definitely affected membership in
the Top 25.  While I believe that approach was useful, I would have
preferred more extensive vetting.  Also, if you pick one then you're going
to limit the applicability to audiences who don't have that particular
threat/risk model.

By the way - I strongly believe that ease-of-exploit and attack frequency
are correlated, at least based on what I see in CVE and its rough
alignment with publicized attacks.  However, with an advanced adversary,
the correlation may be less (since ease-of-exploit may also be associated
with ease-of-detection).

> CSRF wasn't very well known when we released it into the Top 10 in 2007,
> but it's certainly much more well known now.

As one data point - while the 2008 CVE trend data isn't final, CSRF is
somewhere around #11.

A broader question - any idea on how (or if it's even possible) to better
scope the Top 10 as a document for education instead of standardization?
(We're starting to see this with the Top 25, too.)

- Steve

More information about the Owasp-topten mailing list