[Owasp-topten] OWASP Top 10 2009

Dave Wichers dave.wichers at aspectsecurity.com
Sat May 16 17:37:10 EDT 2009

Regarding merging injection and XSS, I really don't think that is a good
idea. SQL Injection and XSS flaws are always reported separately and
they are #1 and #2 in reported quantity so burying one inside the same
bucket with the other would remove the emphasis that is sorely needed to
keep these two items at the top of peoples radar.  So, I don't think
that is the best way to create a slot.

That said, I agree with your concern about Insecure Configuration
Management disappearing from the Top 10. This specific topic was brought
up in Portugal at the OWASP summit so is definitely something we need to
directly address.

The two proposed options were:

1) Add it back in to the Top 10 (and there is definitely merit to that),
2) Make it clear in each top 10 item that the system needs to be
configured properly in that area for that area to be performed properly.

Item #1 makes this important issue much more obvious, but there were
mixed opinions on which of the two paths we should take.

So that is definitely something we need to discuss and resolve.


-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Tyler Reguly
Sent: Thursday, May 14, 2009 5:29 PM
To: owasp-topten at lists.owasp.org
Subject: [Owasp-topten] OWASP Top 10 2009

Hey All,

Somehow I missed the thread on the first round of discussion on OWASP
Top 10 2009, but I wanted to bring something up that has always
bothered me slightly about the 2007 list.

The 2007 list seems to "waste" a slot, by having Injection Flaws as a
large bucket but then splitting out XSS (which is simply another
injection flaw). I'd like to see that not exist on the next iteration
of the list and to that point,  the 8 items presented by Jeremiah, in
the original discussion on this list, resolve this by removing
injection flaws and inserting SQLi, which means that XSS doesn't
become repetitive. From a historic stand point... in order to get
awareness, I think it fit at the time, but now I'm not sure that it's

- Cross Site Scripting
- SQL Injection
- Insecure Direct Object Reference / Predictable Resources Location
- Cross Site Request Forgery
- Clickjacking / UI Redressing
- Insufficient Authorization
- Insecure Communications / Insufficient Transport Layer Protection
- Open URL Redirectors

Since the presented list only contains 8 items, I wanted to bring up
another point that I think deserves discussion. The 2004 list
contained A10 - Insecure Configuration Management and discussed items
such as vulnerable server software. I think this is an important
point... the removal of this item makes sense if the list is designed
to target people in pure development roles. In my mind thought it
removes a critical item that other groups who rely on the Top 10 make
use of. Owning the system means owning the web app and if the goal is
to map the "Top 10 biggest security risks to web applications" then I
think this deserves a spot. Web App Auditors and Web App Security
Scanners should both be considering this aspect because undoubtedly
the attackers are going to be. Yet I think the biggest group affected
by the lack of this item is IT people at SMBs.

Having worked in the IT role at an SMB, I know that it's quite often a
single person responsible for OS, Software and Web Application
security and that is only one of their roles. If they are deploying a
web app and using the Top 10 as a checklist, they are missing a
critical part of the infrastructure of that application. For that
reason I'd love to see Insecure Configuration Management (or a
variation of it) that covers all the underlying infrastructure, not
just the web server included in the list.

Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list