[Owasp-topten] Feedback on OWASP 2010 Top 10

Ralph Durkee rd at rd1.net
Wed Nov 18 20:17:11 EST 2009


ok, so there was one bad example out of the set, but there's lots of 
serious vulnerabilities that would be difficult to categorize as 
anything other than insecure architecture choices.   Services that are 
inappropriate for the tier, are difficult to call misconfiguration if 
they are configured as securely as normally recommend, also lack of 
firewall  or front end controls such as xml or web gateways are also 
better called architecture rather than configuration issues.  
Configuration focuses on the individual pieces, and not on how they are 
used as a whole.   Network segmentation between tiers is likewise 
architecture.  If we are going to include these sort of things in the 
misconfiguration item, then we need a better title and description.

-- Ralph Durkee



Dave Wichers wrote:
>
> In A10, it already says this under: How do I prevent this?
>
>  
>
> 5.       Backend and other connections should also use SSL/TLS or 
> other encryption technologies.
>
>  
>
> And I added another scenario:
>
>  
>
> _Scenario #3_: Site simply uses standard ODBC/JDBC for database 
> connection, not realizing all this traffic is in the clear.
>
>  
>
> -Dave
>
>  
>
> *From:* owasp-topten-bounces at lists.owasp.org 
> [mailto:owasp-topten-bounces at lists.owasp.org] *On Behalf Of *McGovern, 
> James F. (eBusiness)
> *Sent:* Wednesday, November 18, 2009 9:25 AM
> *Cc:* owasp-topten at lists.owasp.org
> *Subject:* [Owasp-topten] Feedback on OWASP 2010 Top 10
>
>  
>
>  
>
> A clear text ODBC connection between the mid-tier and back end would 
> be covered under A10 -- Insufficient Transport Layer Protection  and 
> should be spelled out as one of the examples. Mention JDBC as well.
>
>  
>
> Since we are updating the OWASP Top Ten, may I assume that we could 
> also spend a little time synching up the OWASP Web Services Top Ten? 
> Likewise, since Cloud is becoming important, how about us proactively 
> announcing the creation of the OWASP Cloud Top Ten?
>
> ************************************************************
> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
> ************************************************************
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091118/f0b848ad/attachment.html 


More information about the Owasp-topten mailing list