[Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec. Misconfig)

Ralph Durkee rd at rd1.net
Mon Nov 16 09:56:38 EST 2009


Bringing back the "Security Misconfiguration" certainly deserves some
discussion.  As I remember the logic for taking it out was that it was
more in the realm of Web Sever vulnerabilities then Web Application. I
agree on the risk rating, but if you consider that these vulnerabilities
should be easily detected with host based and network based
vulnerabilities scanners, as oppose to Web Application Scanners.  As I'm
thinking this one doesn't belong.  Otherwise we could include platform
issues as well.

However on a related thread of thought, Web Application architecture
issues are specific to web applications, and probably deserve to be
included.  Although I would have to say that most of the architecture
issues could be detected by a manual review of automated scans.

Maybe there's a third option if there's a reasonable way to combine the
Web App architecture and configuration issues into a reasonable cohesive
group.


-- Ralph Durkee




More information about the Owasp-topten mailing list