[Owasp-topten] An alternate view of "Risks"

Steven M. Christey coley at linus.mitre.org
Thu Nov 19 19:44:48 EST 2009


I apologize to the list for what I'm about to suggest, since this may be a
rehash of some long-running debates in the web security community, and at
the very least I'm suggesting a fairly big change.  Plus I don't think
about "risk" that much.

I've been thinking on what Robert said about trying to be better about
terminology, and while I originally thought that I understood "risk" in
the context of early drafts of the Top Ten, now I'm not so sure.  At the
very least, the T10 still has the problem of using attack-ish/weakness-ish
terminology in the names.  There's a challenge of using commonly-known
terminology so you don't leave your core audience in the dark, and I'm
definitely an advocate for using established terminology where feasible.

Perhaps one way of addressing this would be to change the current names
and maybe make another minor tweak here and there into something that I
think of as "risk," which is going to smell a lot like "attack" to some
people, "threat" to others, and maybe there's some notion of "technical
impact," too.

Alright, enough verbosity already.

A1 - Injection

could be renamed to:

  Modification of queries or commands to the back-end interpreter

This is not necessarily "attack" the way I think of it - this doesn't get
into any specifics about the method/procedure/technique that the attackers
uses to accomplish the goal.

A programmer or development manager seeing this new name might react in
the following fashion:  "wait, attackers can modify my queries?  That's a
big concern."  That speaks more directly to people than "Injection."

A2 - XSS

   Consider: Execution of malicious script through web pages

A3 - broken authC / session mgt

   Consider: Compromise of users' identities or sessions

A4 - Insecure Direct Object Reference

   Consider: Unprotected Access to Internal Objects or Resources

   [I don't particularly like this suggestion]

A5 - CSRF

   Consider: Unintentional Requests Being Sent from Legitimate Users

A6 - Security Misconfiguration

   might not need a name change

A7 - Failure to Restrict URL Access

   Consider: Exposure of Restricted Functionality through URLs

A8 - Unvalidated Redirects and Forwards

   Consider: Redirection to Unexpected or Malicious Web Sites

A9 - Insecure Cryptographic Storage

   Consider: Theft or undetectable corruption of stored data

A10 - Insufficient Transport Layer Protection

   Consider: Theft of data or user information during transmission

Almost everything else on the page could be the same, but this is a
slightly different presentation.  And there's room for improvement for my
suggestions.  Commonly-known terms like "injection" and "XSS" would need a
to be mentioned somewhere.

Hope somebody understands what I'm trying to get at, I'm having some
difficulty trying to explain it.  It's different but I'm not fully sure if
it's any better.

- Steve


More information about the Owasp-topten mailing list