[Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec. Misconfig)

Ralph Durkee rd at rd1.net
Tue Nov 17 20:16:46 EST 2009


But I don't think you're both saying the same thing. From what Dave 
says  OS misconfiguration would be included, while having a clear text 
ODBC between the Middle and Back-end would not be included, or having a 
DB network listener on the same system as the web server if it where not 
misconfigured and would not be included.  I think the Top 10 needs to 
stay Web App focused and have only the necessary overlap with 
traditional network and system security, that's why I made the 
suggestions I did.

-- Ralph Durkee


Fuller, Kevin R. wrote:
> I agree,
>
> After all, how far can you go back into architecture and maintain the
> division between the system and OS and the web application?  If the
> focus of the top ten is on the web application vulnerability issues then
> you have to delineate at some point where the web stops (underlaying web
> service framework (apache, IIIS)?) and the operating system framework
> starts. That is handled by different standards, requirements and
> testing. 
>
> Kevin Fuller
> CCNP, GSNA, GCIH, GCIA, GWAS, GREM
> ISD/System Test, DMV
> -----Original Message-----
> From: owasp-topten-bounces at lists.owasp.org
> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Dave Wichers
> Sent: Tuesday, November 17, 2009 11:37 AM
> To: Ralph Durkee; Dave Wichers
> Cc: owasp-topten at lists.owasp.org
> Subject: Re: [Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec.
> Misconfig)
>
> I think that ends up with too broad of a category and the issues are
> different in my opinion.
>
> Dave 
>
> -----Original Message-----
> From: Ralph Durkee <rd at rd1.net>
> Sent: Tuesday, November 17, 2009 10:40 AM
> To: Dave Wichers <dave.wichers at aspectsecurity.com>
> Cc: Dave Wichers <dave.wichers at aspectsecurity.com>;
> <owasp-topten at lists.owasp.org> <owasp-topten at lists.owasp.org>
> Subject: Re: [Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec.
> Misconfig)
>
> No.  I was thinking we wouldn't drop configuration from the title.   
> Just add archecture. Something like
>
> Insecure configuration and archecture
>
> -- Ralph
>
> On Nov 17, 2009, at 10:07 AM, "Dave Wichers"
> <dave.wichers at aspectsecurity.com 
>  > wrote:
>
>   
>> I think taking configuration out of the title would take away from  
>> the primary focus of that top 10 area.
>>
>> Dave
>>
>> -----Original Message-----
>> From: Ralph Durkee <rd at rd1.net>
>> Sent: Tuesday, November 17, 2009 9:00 AM
>> To: Dave Wichers <dave.wichers at aspectsecurity.com>
>> Cc: owasp-topten at lists.owasp.org <owasp-topten at lists.owasp.org>
>> Subject: Re: [Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec.  
>> Misconfig)
>>
>> Yes that helps.  Some of what you described as misconfiguration is  
>> what
>> I was describing as architecture.  Is there multiple tiers, what
>> services and roles do each tier provide, what communications are used
>> between the systems and components. Are insecure services and  
>> protocols
>> used, or services that are inappropriate for the architecture, such as
>> SMB or NFS on the web server.   Is there XML gateway or Web App  
>> firewall
>> would included. Frameworks used is also architecture.  Many (not  
>> all) of
>> these architect issues will come to light with a manual review of
>> automated scans.  Why not broaden the title to include insecure
>> architecture.
>>
>> -- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
>> Principal Security Consultant
>> http://rd1.net
>>
>>
>> Dave Wichers wrote:
>>     
>>> My thoughts on security misconfiguration is that it covers the
>>> configuration of everything on the server that is hosting the web
>>> application as well as anything else in front of that server that is
>>> protecting it (at least at the app layer for the 'in front'  
>>> components).
>>> And it includes the configuration (again at the app layer) of any
>>> back-end components accessed by the web app, like the database/DB
>>> server.
>>>
>>> So, for the app server, this includes the OS, the app server, the app
>>> itself, and any components/frameworks used by the app that are
>>> configurable. For a front end component, like an XML gateway, or App
>>> Firewall, then I'd be primarily focused on their app layer  
>>> configuration
>>> (although their network configuration is important too).
>>>
>>> As an organization, we recommend increased focus on the app layer
>>> configuration of all the components involved since most organizations
>>> tend to currently focus on the network layer components. As part of  
>>> this
>>> configuration, keeping up with the latest version of all the software
>>> components involved is also very important as half the patches issued
>>> are fixing security flaws, even in libraries, like Struts, Spring,  
>>> etc.
>>>
>>> I would expect both app and network layer scanning to help detect
>>> security configuration flaws, as well as manual analysis. Neither  
>>> can do
>>> this well on its own, but manual analysis is probably the most  
>>> important
>>> aspect for the app layer.
>>>
>>> I don't know if this clarifies my thoughts on the subject, but  
>>> hopefully
>>> it does.
>>>
>>> I'm not sure what you mean by architecture issues that can be  
>>> detected
>>> by review of automated scan results.
>>>
>>> -Dave
>>>
>>> -----Original Message-----
>>> From: owasp-topten-bounces at lists.owasp.org
>>> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Ralph  
>>> Durkee
>>> Sent: Monday, November 16, 2009 9:57 AM
>>> To: owasp-topten at lists.owasp.org
>>> Subject: [Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec.  
>>> Misconfig)
>>>
>>>
>>> Bringing back the "Security Misconfiguration" certainly deserves some
>>> discussion.  As I remember the logic for taking it out was that it  
>>> was
>>> more in the realm of Web Sever vulnerabilities then Web  
>>> Application. I
>>> agree on the risk rating, but if you consider that these  
>>> vulnerabilities
>>> should be easily detected with host based and network based
>>> vulnerabilities scanners, as oppose to Web Application Scanners.   
>>> As I'm
>>> thinking this one doesn't belong.  Otherwise we could include  
>>> platform
>>> issues as well.
>>>
>>> However on a related thread of thought, Web Application architecture
>>> issues are specific to web applications, and probably deserve to be
>>> included.  Although I would have to say that most of the architecture
>>> issues could be detected by a manual review of automated scans.
>>>
>>> Maybe there's a third option if there's a reasonable way to combine  
>>> the
>>> Web App architecture and configuration issues into a reasonable  
>>> cohesive
>>> group.
>>>
>>>
>>> -- Ralph Durkee
>>>
>>>
>>> _______________________________________________
>>> Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>
>>>
>>>       
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091117/1cb8027f/attachment-0001.html 


More information about the Owasp-topten mailing list