[Owasp-topten] Thoughts on OWASP Top 10 2009 - Round 1

Neil Smithline owasp-topten at smithline.net
Wed Mar 18 20:35:48 EDT 2009

>Steven Christey wrote....

By the way - I strongly believe that ease-of-exploit and attack frequency
are correlated, at least based on what I see in CVE and its rough
alignment with publicized attacks.  However, with an advanced adversary,
the correlation may be less (since ease-of-exploit may also be associated
with ease-of-detection).

To add onto this Steve, ease-of-exploit is frequently very hard to talk
about in the future. A ridiculously hard to exploit vulnerability is exactly
one posted script away from being a ridiculously trivial exploit. The
problem is, until that script comes is written, there is no way to know if
it ever will be written.

Sometimes exploit difficulty even goes from easy to hard. This happens less
frequently but one might argue, for example, that the intelligence brought
on by GMail's spam blocker made email exploits more difficult, at least for

Also, your point about an advanced adversary is an excellent one. All too
often attacks are discovered years after they began.

Not proposing anything different, just something to be aware of.


Personal: http://www.smithline.net
Voice: 781-754-7628
Fax: 206-666-5090

<http://www.smithline.net>Founder & Senior Security Consultant

(Signature provided with the help of <https://www.OneStopAppSecurity.com>
WiseStamp <http://www.wisestamp.com>)

On Wed, Mar 18, 2009 at 18:26, Steven M. Christey <coley at linus.mitre.org>wrote:

> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20090318/cfcdd548/attachment.html 

More information about the Owasp-topten mailing list