[Owasp-topten] Thoughts on OWASP Top 10 2009 - Round 1

Matteo Meucci matteo.meucci at owasp.org
Mon Mar 23 07:55:48 EDT 2009


Hi,
I agree with Dave and Jeremiah thoughts, but maybe we have also to review
the objectives and the output of the project. here is my vision about the
OWASP Top10 2009.

1) Objectives
I think that the OWASP Top10 2009 readers want to read the most finded
vulnerabilities in 2008. Then they want to understand which are the 10 most
critical web application security flaws (as said here:
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)

2) List of OWASP vulnerabilities
Do we have a list of OWASP Vulnerabilities?
So the question is firstly to have a well defined set of vulnerabilities,
then IMO the OWASP Community should give his contribute in finding the
Top10.
Proposal: should we use the set of vulnerabilities published in the Testing
Guide?
http://www.owasp.org/index.php/Testing_Checklist
Here we have the vulnerabilities and the a OWASP name to the relative test.
For example:
SQL Injection - Data Validation Category - OWASP-DV-005
(In that list some of the vulnerabilities cited by Jeremiah are missing).

3) OWASP Top10 2009 vulnerabilities
Once we have a defined set of vulnerabilities, the OWASP Community should
give his contribute to find the Top10.
Many OWASP contributors are working for testing WebApp, so what if OWASP
collects all the input from many Companies, that affirm which are the number
of XSS, CSRF, ecc finded during the assessments in 2008?
During the last OWASP Summit, Dave talked about collect information from
Aspect, Minded Security, WhiteHat Security for example.
Then using the Risk Rating model we can identify the 10 most critical web
application security flaws.

In that way we will have the 10 most finded REAL vulnerabilities by the
OWASP Community.
What do you think about that?

Thanks,
Mat


On Thu, Mar 19, 2009 at 10:04 PM, Jeremiah Grossman <
jeremiah at whitehatsec.com> wrote:

> Hi all,
>
> I don't have much value to add on top of the discussion about
> vulnerability prevalence, easy, impact, exploitation likelihood, etc.
> When it comes to building such a list you guys all hit the relevant
> points.
>
> I also think the goal of building the "Top 10 biggest security risks
> to web applications" is worthwhile and feasible. To do so obviously
> we're going to be unable to leverage solid statistics to cover each
> aspect, which is not to say we would be on our own either.  I captured
> many of the recently publicly available reports here:
>
> http://jeremiahgrossman.blogspot.com/2008/12/its-unanimous.html
>
> We can also include data from:
>
> The Web Hacking Incidents Database
> http://whid.webappsec.org/
>
> WASC Web Application Security Statistics Project
> http://www.webappsec.org/projects/statistics/
>
> WhiteHat Website Security Statistics Report
> http://www.whitehatsec.com/home/resource/stats.html
>
>
> Still, we are going to have to rely upon our collective wisdom to fill
> in the gaps. As it stands, here is the current Top Ten 2007 for
> reference:
>
> 1) Cross Site Scripting
> 2) Injection Flaws
> 3) Malicious File Execution
> 4) Insecure Direct Object Reference
> 5) Cross Site Request Forgery
> 6) Information Leakage and Improper Error Handling
> 7) Broken Authentication and Session Management
> 8) Insecure Cryptographic Storage
> 9) Insecure Communications
> 10) Failure to Restrict URL Access
>
>
> For my part and experience, off the top of my head I'd like to see the
> following list considered. No particular order:
>
> - Cross Site Scripting
> - SQL Injection
> - Insecure Direct Object Reference / Predictable Resources Location
> - Cross Site Request Forgery
> - Clickjacking / UI Redressing
> - Insufficient Authorization
> - Insecure Communications / Insufficient Transport Layer Protection
> - Open URL Redirectors
>
> * Flash application tend to have at least one of a lot of important
> little things that can and do go wrong, but hard to select just one.
>
> * Similar is true for Web Widgets, third-party advertisements, and
> traffic monitoring services. Websites are using more and more of JS
> includes, integrating arbitrary client-side code in an environment
> with limited security controls.
>
>
>
>
> On Mar 18, 2009, at 5:41 PM, Neil Smithline wrote:
>
> >
> > 2009/3/18 Dave Wichers <dave.wichers at aspectsecurity.com>
> > I think the Top 10 items and their brief descriptions is more of a
> > management document, than a developer doc. However, the existing doc
> > has lots of details for developers making it less useful as a
> > management document, but not enough detail to be really useful for
> > developers either. Jeff Williams has a suggestion that I like:
> >
> >
> >
> > I just want to note that a management-focus on the T10
> > vulnerabilities is a different document than the top 10 application
> > security management mistakes. The latter involves things such as
> > "We'll add security at the end when we add I18N.",  "We have smart
> > engineers so we can let every team worry about security on their
> > own.", and "The most famous is never get involved in a land war in
> > Asia" (oh wait, that's something different ;-)
> >
> > Neil
> >
> > Personal: http://www.smithline.net
> > Voice: 781-754-7628
> > Fax: 206-666-5090
> >
> > Professional:
> > Founder & Senior Security Consultant
> > OneStopAppSecurity.com
> > https://www.OneStopAppSecurity.com
> >
> >
> > (Signature provided with the help of WiseStamp)
> >
> > _______________________________________________
> > Owasp-topten mailing list
> > Owasp-topten at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-topten
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>



-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide lead
http://www.owasp.org/index.php/Testing_Guide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20090323/923ff6a1/attachment.html 


More information about the Owasp-topten mailing list