[Owasp-topten] OWASP Top 10 2009

Tom Brennan - OWASP tomb at owasp.org
Thu May 14 17:47:09 EDT 2009

Good point, the persons that point to OWASP's Top 10 are a wide audience these days including .gov's, tools and best practice documents.  Dave Wichers is the project lead for the 2009 update. 

In Portugal our friend at PCI made it clear that OWASP is a ongoing valuable reference as well as large industry stake holders such as Darren and others that want to share other vuln data in support of what they see and track in a agnostic way.
Dave what are you thinking is the revised submission criteria for this next round that people on this project/list can help with so we can as a professional .org can backup with references as well as hypothesis of under reported items new trends etc for the next rev., under the forthcoming grant project effort?

Sent from my crackberry, call me and lets discuss the old fashion way at 973-202-0122 if you have any questions about this email. 

-----Original Message-----
From: Tyler Reguly <ht at computerdefense.org>

Date: Thu, 14 May 2009 17:29:21 
To: <owasp-topten at lists.owasp.org>
Subject: [Owasp-topten] OWASP Top 10 2009

Hey All,

Somehow I missed the thread on the first round of discussion on OWASP
Top 10 2009, but I wanted to bring something up that has always
bothered me slightly about the 2007 list.

The 2007 list seems to "waste" a slot, by having Injection Flaws as a
large bucket but then splitting out XSS (which is simply another
injection flaw). I'd like to see that not exist on the next iteration
of the list and to that point,  the 8 items presented by Jeremiah, in
the original discussion on this list, resolve this by removing
injection flaws and inserting SQLi, which means that XSS doesn't
become repetitive. From a historic stand point... in order to get
awareness, I think it fit at the time, but now I'm not sure that it's

- Cross Site Scripting
- SQL Injection
- Insecure Direct Object Reference / Predictable Resources Location
- Cross Site Request Forgery
- Clickjacking / UI Redressing
- Insufficient Authorization
- Insecure Communications / Insufficient Transport Layer Protection
- Open URL Redirectors

Since the presented list only contains 8 items, I wanted to bring up
another point that I think deserves discussion. The 2004 list
contained A10 - Insecure Configuration Management and discussed items
such as vulnerable server software. I think this is an important
point... the removal of this item makes sense if the list is designed
to target people in pure development roles. In my mind thought it
removes a critical item that other groups who rely on the Top 10 make
use of. Owning the system means owning the web app and if the goal is
to map the "Top 10 biggest security risks to web applications" then I
think this deserves a spot. Web App Auditors and Web App Security
Scanners should both be considering this aspect because undoubtedly
the attackers are going to be. Yet I think the biggest group affected
by the lack of this item is IT people at SMBs.

Having worked in the IT role at an SMB, I know that it's quite often a
single person responsible for OS, Software and Web Application
security and that is only one of their roles. If they are deploying a
web app and using the Top 10 as a checklist, they are missing a
critical part of the infrastructure of that application. For that
reason I'd love to see Insecure Configuration Management (or a
variation of it) that covers all the underlying infrastructure, not
just the web server included in the list.

Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list