[Owasp-topten] OWASP Top Ten Comments

robert at webappsec.org robert at webappsec.org
Wed Nov 18 20:52:48 EST 2009

Greetings List,

I've been meaning post to this list for awhile and now seems as good as a time as ever. After reviewing the 
latest top ten I have questions, and suggestions about the document structure, purpose, and direction. 

#1 Document clarification on attacks and weaknesses
The document indicates that the items within the top ten are weaknesses.

"Our methodology includes three likelihood factors for each weakness (prevalence, detect ability,and ease of exploit) 
and one impact factor (technical impact). The prevalence of a weakness is a factor that you typically don’t have to 
calculate. For prevalence data, we have been supplied prevalence statistics from a number of different organizations 
and we have averaged their data together to come up with a Top 10 likelihood of existence list by prevalence."

However the top ten utilizes attacks, and weaknesses (with the current terminology, see #2). 

A1 - Injection
A2 - XSS

When I see Injection, I think attack as does mitre's CAPEC project (http://capec.mitre.org/data/definitions/152.html). Same with XSS
(http://capec.mitre.org/data/definitions/243.html and http://capec.mitre.org/data/definitions/106.html) I admit that the first version 
of WASC's Threat Classification didn't get this right and the lack of clarification caused confusion by the people digesting the 
document, and modifying it. 

#2 Terminology 

- Clearly define terminology used (mitre perhaps?) (flaw, defect, attack, weakness, risk, etc...)
- Explore/review the use of 'attack' and 'weakness' throughout this document
- Explore the MITRE references to most accurately reflect the attack aspect (CAPEC), and the weaknesses (CWE) when applicable
 - Example: http://capec.mitre.org/data/definitions/248.html and http://capec.mitre.org/data/definitions/152.html

#3 Using the Top Ten
It would be really great to have documented different ways the owasp top ten has been used, or can be used (not just who has used it). 
The top ten states what it shouldn't be used for (e.g. "But the Top 10 is not an application security program."), and its goals but 
not how it should/could be used (that was obvious, perhaps I'm blind). Speaking on behalf of the WASC Threat Classification project 
this was something that we kept getting asked for, and having it documented also lets people think about other ways to use it. For us
this has been helpful, perhaps for the owasp top ten this could be beneficial as well.

#4 Renaming the TOP ten to 'OWASP Top Ten Risks'?
I'm glad to see the methodology is better defined than in previous versions. Have there been discussions to rename the Top Ten
to Top Ten Risks? Being a leader of a security project (WASC Threat Classification) I understand the complexities of renaming 
an established project. I'm not saying you 'must' or 'should' rename it, merely asking if it has been discussed and a conscious
decision has been made not to change it.

#5 Removal of Information leakage
I see the note as to why information leakage was removed, however I see this more as a limitation on the definition of information
leakage rather than it being a reduced risk. Risk wise depending on the information leaked this can be the worst thing that could 
happen to an organization depending on the info type. Might I suggest expanding OWASP's definition of information leakage as this can 
be quite a 'risky' thing. The WASC Threat Classification has information leakage broken down into several types at 

http://projects.webappsec.org/Information-Leakage however I'm not suggestion you utilize our interpretation/literal text, merely 
explore the possibility of expanding your definition of information leakage, and including info leakage in the owasp top ten.

Please take this email as strictly constructive criticism/questioning and not as a negative. The owasp top ten is a widely known document
and I bring up these points in order to better understand its logic/structure (I'm sure others seeking additional clarification as 
well). I assume some of these discussions have taken place (sorry for bringing them up again if so), but since I'm unaware of 
the background and seek clarification. 

- Robert Auger
http://www.webappsec.org/ WASC Threat Classification Project Leader, WASC Co-Founder

PS: Pardon my references to wasc's project (I swear I'm not spamming!), I'm merely mentioning it as a related project that was 
negatively affected due to some of the aspects above. 

More information about the Owasp-topten mailing list