[Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec. Misconfig)

Dave Wichers dave.wichers at aspectsecurity.com
Mon Nov 16 20:59:32 EST 2009

My thoughts on security misconfiguration is that it covers the
configuration of everything on the server that is hosting the web
application as well as anything else in front of that server that is
protecting it (at least at the app layer for the 'in front' components).
And it includes the configuration (again at the app layer) of any
back-end components accessed by the web app, like the database/DB

So, for the app server, this includes the OS, the app server, the app
itself, and any components/frameworks used by the app that are
configurable. For a front end component, like an XML gateway, or App
Firewall, then I'd be primarily focused on their app layer configuration
(although their network configuration is important too).

As an organization, we recommend increased focus on the app layer
configuration of all the components involved since most organizations
tend to currently focus on the network layer components. As part of this
configuration, keeping up with the latest version of all the software
components involved is also very important as half the patches issued
are fixing security flaws, even in libraries, like Struts, Spring, etc.

I would expect both app and network layer scanning to help detect
security configuration flaws, as well as manual analysis. Neither can do
this well on its own, but manual analysis is probably the most important
aspect for the app layer.

I don't know if this clarifies my thoughts on the subject, but hopefully
it does.

I'm not sure what you mean by architecture issues that can be detected
by review of automated scan results.


-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Ralph Durkee
Sent: Monday, November 16, 2009 9:57 AM
To: owasp-topten at lists.owasp.org
Subject: [Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec. Misconfig)

Bringing back the "Security Misconfiguration" certainly deserves some
discussion.  As I remember the logic for taking it out was that it was
more in the realm of Web Sever vulnerabilities then Web Application. I
agree on the risk rating, but if you consider that these vulnerabilities
should be easily detected with host based and network based
vulnerabilities scanners, as oppose to Web Application Scanners.  As I'm
thinking this one doesn't belong.  Otherwise we could include platform
issues as well.

However on a related thread of thought, Web Application architecture
issues are specific to web applications, and probably deserve to be
included.  Although I would have to say that most of the architecture
issues could be detected by a manual review of automated scans.

Maybe there's a third option if there's a reasonable way to combine the
Web App architecture and configuration issues into a reasonable cohesive

-- Ralph Durkee

Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list