[Owasp-topten] Feedback on OWASP 2010 Top 10

Achim Hoffmann kirke12 at securenet.de
Tue Nov 17 10:17:08 EST 2009


I disagree.

daniel cuthbert wrote on 17.11.2009 15:43:
> I agree.
> 
> Back in the day it was important to have the likes of XSS/SQLi as
> separate categories, namely due to the fact they weren't well-known, but
> the level of awareness today is far greater than back in 2004. Would it
> not be more suitable to have a single parent category such as injection
> and then have the sub-categories below depending on how widespread they are?
> 
> 
> 
> 2009/11/17 McGovern, James F. (eBusiness)
> <James.McGovern at thehartford.com <mailto:James.McGovern at thehartford.com>>
> 
>      My peers were discussing the top ten and wanted to understand why
>     certain categories couldn't be collapsed into "input validation" for
>     example SQL Injection such that room could be made for other
>     categories..,.

Sorry for counting in late (even I'm on the list since ages).

As discussed in Portugal last year, the top 10 list serves for those people also
which are not adicted to web application security and even those with very less
knowledge about HTTP at all.
That's what made the list so popular.

The purpose of the list is to give a short overview what the threats and risks
are. This works without being 101% correct.
If someone is nitpicking on words and terms (like me:), there're better references
for that than the top 10. See for example:
  http://projects.webappsec.org/Threat-Classification-Working
(which is not yet perfect too)

According injection flaws: we all know that they suffer from the same problem,
and that's not only "input validation" but also some other filterings, validations
and sanitations too.
I'd agree with the current list (2010) with seperate SQLi and XSS as they are still
the most common problems. And they are by far not well known to the public, unfortunately.

IMHO people looking for OWASP Top 10 expect a simple list (with a simple metric)
which is easy to understand. In such a case noone cares about the fact that even
XSS needs to be divided into several different attack classes by experts like us.

The simplicity made the top 10 what it is used for today.

Achim



More information about the Owasp-topten mailing list