[Owasp-topten] OWASP Top 10 2009
dave.wichers at aspectsecurity.com
Sat May 16 17:37:11 EDT 2009
I completely agree with you that Session Management is very important,
and a common area for problems.
Right, now we address this with: A7 - Broken Authentication and Session
Management, which combines authenticating the user safely with tracking
the user's identity during a session safely.
We could have just called this Broken Authentication, but added 'and
Session Management' to try to highlight the 2nd have of the problem.
We could break this into two topic areas in order to further emphasize
Session Management issues in a manner similar to what we did for
Authorization and Crypto in the last Top 10. For Authorization, we split
it into A4 - Insecure Direct Object Reference and A10 - Failure to
Restrict URL Access, and for Crypto, into A8 - Insecure Cryptographic
Storage, and A9 - Insecure Communications. This really comes down to a
'room' problem in the Top 10, in that we never have enough room to
emphasize everything that is important.
I suspect we will still have this problem in the 2009 update and so
would bet that we probably want to keep A7 the same, rather than find
something else to kick out of the top 10 so we can split it.
I personally would rather add Insecure Configuration Management back
into the Top 10, rather than use that slot to further emphasize Session
Management, and I already think it's going to be hard to make room to
add that one already.
p.s. And after pulling this together, I saw your reply:
Oh. Sorry for my previous email, it seems that the message was related
to the 8-items list and not the actual 10-items list.
My apologies -_-;
So it seems like you agree with me that we have it covered :-)
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Raul Siles
Sent: Friday, May 15, 2009 5:15 AM
To: tomb at owasp.org
Cc: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] OWASP Top 10 2009
Following Tyler's suggestion, I would like to follow up the discussion
with another topic I feel should be added to the list, "Session
We can think about the best title for it, but the idea is to reflect all
the security issues around session management in web applications, such
as the lack of more restrictive cookie directives like httponly or
secure, vulnerabilities such as session fixation, the lack of additional
protections against session id duplication (by checking other client
details), the bad habit of allowing http and https interchangeably in
different web sections disclosing session ids (potential overlapping
with "Insecure Communications / Insufficient Transport Layer
On my experience, almost all applications are vulnerable someway to
different session management issues, hence its importance.
On Thu, May 14, 2009 at 11:47 PM, Tom Brennan - OWASP <tomb at owasp.org>
Good point, the persons that point to OWASP's Top 10 are a wide audience
these days including .gov's, tools and best practice documents. Dave
Wichers is the project lead for the 2009 update.
In Portugal our friend at PCI made it clear that OWASP is a ongoing
valuable reference as well as large industry stake holders such as
Darren and others that want to share other vuln data in support of what
they see and track in a agnostic way.
Dave what are you thinking is the revised submission criteria for this
next round that people on this project/list can help with so we can as a
professional .org can backup with references as well as hypothesis of
under reported items new trends etc for the next rev., under the
forthcoming grant project effort?
Sent from my crackberry, call me and lets discuss the old fashion way at
973-202-0122 if you have any questions about this email.
From: Tyler Reguly <ht at computerdefense.org>
Date: Thu, 14 May 2009 17:29:21
To: <owasp-topten at lists.owasp.org>
Subject: [Owasp-topten] OWASP Top 10 2009
Somehow I missed the thread on the first round of discussion on OWASP
Top 10 2009, but I wanted to bring something up that has always
bothered me slightly about the 2007 list.
The 2007 list seems to "waste" a slot, by having Injection Flaws as a
large bucket but then splitting out XSS (which is simply another
injection flaw). I'd like to see that not exist on the next iteration
of the list and to that point, the 8 items presented by Jeremiah, in
the original discussion on this list, resolve this by removing
injection flaws and inserting SQLi, which means that XSS doesn't
become repetitive. From a historic stand point... in order to get
awareness, I think it fit at the time, but now I'm not sure that it's
- Cross Site Scripting
- SQL Injection
- Insecure Direct Object Reference / Predictable Resources Location
- Cross Site Request Forgery
- Clickjacking / UI Redressing
- Insufficient Authorization
- Insecure Communications / Insufficient Transport Layer Protection
- Open URL Redirectors
Since the presented list only contains 8 items, I wanted to bring up
another point that I think deserves discussion. The 2004 list
contained A10 - Insecure Configuration Management and discussed items
such as vulnerable server software. I think this is an important
point... the removal of this item makes sense if the list is designed
to target people in pure development roles. In my mind thought it
removes a critical item that other groups who rely on the Top 10 make
use of. Owning the system means owning the web app and if the goal is
to map the "Top 10 biggest security risks to web applications" then I
think this deserves a spot. Web App Auditors and Web App Security
Scanners should both be considering this aspect because undoubtedly
the attackers are going to be. Yet I think the biggest group affected
by the lack of this item is IT people at SMBs.
Having worked in the IT role at an SMB, I know that it's quite often a
single person responsible for OS, Software and Web Application
security and that is only one of their roles. If they are deploying a
web app and using the Top 10 as a checklist, they are missing a
critical part of the infrastructure of that application. For that
reason I'd love to see Insecure Configuration Management (or a
variation of it) that covers all the underlying infrastructure, not
just the web server included in the list.
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten