[Owasp-topten] OWASP Top 10 2009

Andre Gironda andre at operations.net
Tue May 19 16:53:36 EDT 2009

On Tue, May 19, 2009 at 9:09 AM, Jeremiah Grossman
<jeremiah at whitehatsec.com> wrote:
> Having said that, the number of items/vulns/attacks one could focus
> attention on WebAppSec is plainly enormous. Our job is to help
> newcomers prioritize on a grossly generalized basis. As such, we
> should NOT be trying to include everything we can in the Top Ten nor
> make the nomenclature anymore confusing to non-experts than it already
> is. Instead, we need to make some sacrifices and keeps thing
> exceedingly simple.

I don't think those are the priorities. I think that we should change
the nomenclature to aid non-experts. I think the existing weakness
names are poor e.g. Insecure Direct Object Reference / Predictable
Resources Location (which aren't even the same thing?). I think a lot
of the current OWASP T10 can and should be made more approachable
_through_ change. Marketing terms such as Malvertising or Clickjacking
should be completely removed... those are the worst long-term changes
we could make to the OWASP T10.

I think developers (the primary audience) are indeed aware of
object-oriented analysis & design nomenclature (as opposed to
Enterprise Application Integration and/or Pattern terminology, which
differs largely between platforms and authors). Using words such as
Client-Tier, Presentation-Tier, Business-Tier, and Integration-Tier
are well-understood.

The OWASP T10 is a software weakness document. The word XSS should
probably not be in any of the A1-10 main titles, as XSS is an attack
vector utilized by a threat (a person or bot/threat-agent). The
weakness is that the Client-Tier is injectable from a scripting
language. Thus, it should include wording around
1) Something about the client-side
2) Something about injections and where they come from and where they
go to and what they do
3) Something about what scripting has to do with injections on the
client-side, but also what else besides scripts can be affected and

> We should be focusing on issues of prevelance, severity, impact, and
> overall likelihood of exploitation. Lets leave the edge cases and
> catch-alls out. While many of these data points were limited in the
> past, they are no longer so we are benefited where previous OWASP Top
> Ten groups were not. Sources of data included, but not limited to:

I think we should be focusing in on what is missing among major
platforms. CVE is interesting because it's good data. However, CVE is
not as interesting as it should be for OWASP T10 because CVE could
include numerous projects/products that have the same software
weakness (XSS) in the same platform (PHP) over and over and over

Ideally, OWASP T10 would be platform-specific, but the additional
problem is "what constitutes a platform?". The problems of
Flex2+Spring or Flex2+ASP.NET 4 (with or without MVC) is just a small
example of specifying platforms. This is why I do like the OWASP T10
-- it's a summary of the software weaknesses _common_ across many

> The 2009 Data Breach Investigations Report
> http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/
> The Web Hacking Incidents Database
> http://whid.webappsec.org/
> WASC Web Application Security Statistics Project
> http://www.webappsec.org/projects/statistics/
> WhiteHat Website Security Statistics Report
> http://www.whitehatsec.com/home/resource/stats.html

Yeah. Um. No. No thank you, more specifically. I know that I don't
speak for everyone, but I can attest that the statistics in these
reports always have bias and are not reflected in reality.


More information about the Owasp-topten mailing list