[Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec. Misconfig)

Tyler Reguly ht at computerdefense.org
Mon Nov 16 10:53:25 EST 2009


This is one I was disappointed to see disappear from 2004, so I'm
really glad that it's back. These days a Web Application is so much
more than a independent Web Page sitting with it's static content. It
may interact with other applications, a database, the web server, even
components of the OS itself, as such the entire stack should be
covered from top to bottom. There's nothing statingthat the OWASP Top
10 needs to be limited to vulnerabilities that Web Application
Scanners detect, so why limit it? If you want to look at this from a
tool perspective, VM companies are slowly moving into web (full
disclosure: I work for one of these companies)... so maybe it's time
Web Application Scanners expand their view and move into more
traditional VM outside of the Web Application itself. Again though, I
don't agree that the Top 10 is limited to tools in any way.

A flaw is apache is just as much of a risk to your users as a flaw in
the application running on apache.

Tyler.

On Mon, Nov 16, 2009 at 9:56 AM, Ralph Durkee <rd at rd1.net> wrote:
>
> Bringing back the "Security Misconfiguration" certainly deserves some
> discussion.  As I remember the logic for taking it out was that it was
> more in the realm of Web Sever vulnerabilities then Web Application. I
> agree on the risk rating, but if you consider that these vulnerabilities
> should be easily detected with host based and network based
> vulnerabilities scanners, as oppose to Web Application Scanners.  As I'm
> thinking this one doesn't belong.  Otherwise we could include platform
> issues as well.
>
> However on a related thread of thought, Web Application architecture
> issues are specific to web applications, and probably deserve to be
> included.  Although I would have to say that most of the architecture
> issues could be detected by a manual review of automated scans.
>
> Maybe there's a third option if there's a reasonable way to combine the
> Web App architecture and configuration issues into a reasonable cohesive
> group.
>
>
> -- Ralph Durkee
>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>


More information about the Owasp-topten mailing list