[Owasp-topten] Feedback on OWASP 2010 Top 10

Dave Wichers dave.wichers at aspectsecurity.com
Wed Nov 18 18:30:30 EST 2009


In A10, it already says this under: How do I prevent this?

 

5.       Backend and other connections should also use SSL/TLS or other
encryption technologies.

 

And I added another scenario:

 

Scenario #3: Site simply uses standard ODBC/JDBC for database
connection, not realizing all this traffic is in the clear.

 

-Dave

 

From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of McGovern,
James F. (eBusiness)
Sent: Wednesday, November 18, 2009 9:25 AM
Cc: owasp-topten at lists.owasp.org
Subject: [Owasp-topten] Feedback on OWASP 2010 Top 10

 

 

A clear text ODBC connection between the mid-tier and back end would be
covered under A10 - Insufficient Transport Layer Protection  and should
be spelled out as one of the examples. Mention JDBC as well.

 

Since we are updating the OWASP Top Ten, may I assume that we could also
spend a little time synching up the OWASP Web Services Top Ten?
Likewise, since Cloud is becoming important, how about us proactively
announcing the creation of the OWASP Cloud Top Ten?

************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If
you are not the intended recipient, please notify the sender immediately
by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091118/80801350/attachment.html 


More information about the Owasp-topten mailing list