[Owasp-topten] OWASP Top 10 2009
AF
owasp at nxtg.net
Fri May 15 08:34:44 EDT 2009
Oh. Sorry for my previous email, it seems that the message was related
to the 8-items list and not the actual 10-items list.
My apologies -_-;
Antonio Fontes
Raul Siles wrote:
> Hello,
> Following Tyler's suggestion, I would like to follow up the discussion
> with another topic I feel should be added to the list, "Session
> management issues".
>
> We can think about the best title for it, but the idea is to reflect
> all the security issues around session management in web applications,
> such as the lack of more restrictive cookie directives like httponly
> or secure, vulnerabilities such as session fixation, the lack of
> additional protections against session id duplication (by checking
> other client details), the bad habit of allowing http and https
> interchangeably in different web sections disclosing session ids
> (potential overlapping with "Insecure Communications / Insufficient
> Transport Layer Protection"), etc.
>
> On my experience, almost all applications are vulnerable someway to
> different session management issues, hence its importance.
>
> Cheers,
> --
> Raul Siles
> www.raulsiles.com <http://www.raulsiles.com>
>
>
> On Thu, May 14, 2009 at 11:47 PM, Tom Brennan - OWASP <tomb at owasp.org
> <mailto:tomb at owasp.org>> wrote:
>
> Good point, the persons that point to OWASP's Top 10 are a wide
> audience these days including .gov's, tools and best practice
> documents. Dave Wichers is the project lead for the 2009 update.
>
> In Portugal our friend at PCI made it clear that OWASP is a
> ongoing valuable reference as well as large industry stake holders
> such as Darren and others that want to share other vuln data in
> support of what they see and track in a agnostic way.
>
> Dave what are you thinking is the revised submission criteria for
> this next round that people on this project/list can help with so
> we can as a professional .org can backup with references as well
> as hypothesis of under reported items new trends etc for the next
> rev., under the forthcoming grant project effort?
>
>
>
>
> \\--------------------------------------------
> Sent from my crackberry, call me and lets discuss the old fashion
> way at 973-202-0122 if you have any questions about this email.
>
> -----Original Message-----
> From: Tyler Reguly <ht at computerdefense.org
> <mailto:ht at computerdefense.org>>
>
> Date: Thu, 14 May 2009 17:29:21
> To: <owasp-topten at lists.owasp.org
> <mailto:owasp-topten at lists.owasp.org>>
> Subject: [Owasp-topten] OWASP Top 10 2009
>
>
> Hey All,
>
> Somehow I missed the thread on the first round of discussion on OWASP
> Top 10 2009, but I wanted to bring something up that has always
> bothered me slightly about the 2007 list.
>
> The 2007 list seems to "waste" a slot, by having Injection Flaws as a
> large bucket but then splitting out XSS (which is simply another
> injection flaw). I'd like to see that not exist on the next iteration
> of the list and to that point, the 8 items presented by Jeremiah, in
> the original discussion on this list, resolve this by removing
> injection flaws and inserting SQLi, which means that XSS doesn't
> become repetitive. From a historic stand point... in order to get
> awareness, I think it fit at the time, but now I'm not sure that it's
> needed.
>
> - Cross Site Scripting
> - SQL Injection
> - Insecure Direct Object Reference / Predictable Resources Location
> - Cross Site Request Forgery
> - Clickjacking / UI Redressing
> - Insufficient Authorization
> - Insecure Communications / Insufficient Transport Layer Protection
> - Open URL Redirectors
>
> Since the presented list only contains 8 items, I wanted to bring up
> another point that I think deserves discussion. The 2004 list
> contained A10 - Insecure Configuration Management and discussed items
> such as vulnerable server software. I think this is an important
> point... the removal of this item makes sense if the list is designed
> to target people in pure development roles. In my mind thought it
> removes a critical item that other groups who rely on the Top 10 make
> use of. Owning the system means owning the web app and if the goal is
> to map the "Top 10 biggest security risks to web applications" then I
> think this deserves a spot. Web App Auditors and Web App Security
> Scanners should both be considering this aspect because undoubtedly
> the attackers are going to be. Yet I think the biggest group affected
> by the lack of this item is IT people at SMBs.
>
> Having worked in the IT role at an SMB, I know that it's quite often a
> single person responsible for OS, Software and Web Application
> security and that is only one of their roles. If they are deploying a
> web app and using the Top 10 as a checklist, they are missing a
> critical part of the infrastructure of that application. For that
> reason I'd love to see Insecure Configuration Management (or a
> variation of it) that covers all the underlying infrastructure, not
> just the web server included in the list.
>
> Tyler.
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org <mailto:Owasp-topten at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-topten
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org <mailto:Owasp-topten at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
More information about the Owasp-topten
mailing list