[Owasp-topten] Thoughts on OWASP Top 10 2009 - Round 1

Neil Smithline owasp-topten at smithline.net
Wed Mar 18 20:35:48 EDT 2009


>Steven Christey wrote....

By the way - I strongly believe that ease-of-exploit and attack frequency
are correlated, at least based on what I see in CVE and its rough
alignment with publicized attacks.  However, with an advanced adversary,
the correlation may be less (since ease-of-exploit may also be associated
with ease-of-detection).

To add onto this Steve, ease-of-exploit is frequently very hard to talk
about in the future. A ridiculously hard to exploit vulnerability is exactly
one posted script away from being a ridiculously trivial exploit. The
problem is, until that script comes is written, there is no way to know if
it ever will be written.

Sometimes exploit difficulty even goes from easy to hard. This happens less
frequently but one might argue, for example, that the intelligence brought
on by GMail's spam blocker made email exploits more difficult, at least for
awhile.

Also, your point about an advanced adversary is an excellent one. All too
often attacks are discovered years after they began.

Not proposing anything different, just something to be aware of.

Neil


Personal: http://www.smithline.net
Voice: 781-754-7628
Fax: 206-666-5090

Professional:
<http://www.smithline.net>Founder & Senior Security Consultant
OneStopAppSecurity.com
https://www.OneStopAppSecurity.com


(Signature provided with the help of <https://www.OneStopAppSecurity.com>
WiseStamp <http://www.wisestamp.com>)


On Wed, Mar 18, 2009 at 18:26, Steven M. Christey <coley at linus.mitre.org>wrote:

> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20090318/cfcdd548/attachment.html 


More information about the Owasp-topten mailing list