[Owasp-topten] An alternate view of "Risks"
Steven M. Christey
coley at linus.mitre.org
Thu Nov 19 19:44:48 EST 2009
I apologize to the list for what I'm about to suggest, since this may be a
rehash of some long-running debates in the web security community, and at
the very least I'm suggesting a fairly big change. Plus I don't think
about "risk" that much.
I've been thinking on what Robert said about trying to be better about
terminology, and while I originally thought that I understood "risk" in
the context of early drafts of the Top Ten, now I'm not so sure. At the
very least, the T10 still has the problem of using attack-ish/weakness-ish
terminology in the names. There's a challenge of using commonly-known
terminology so you don't leave your core audience in the dark, and I'm
definitely an advocate for using established terminology where feasible.
Perhaps one way of addressing this would be to change the current names
and maybe make another minor tweak here and there into something that I
think of as "risk," which is going to smell a lot like "attack" to some
people, "threat" to others, and maybe there's some notion of "technical
Alright, enough verbosity already.
A1 - Injection
could be renamed to:
Modification of queries or commands to the back-end interpreter
This is not necessarily "attack" the way I think of it - this doesn't get
into any specifics about the method/procedure/technique that the attackers
uses to accomplish the goal.
A programmer or development manager seeing this new name might react in
the following fashion: "wait, attackers can modify my queries? That's a
big concern." That speaks more directly to people than "Injection."
A2 - XSS
Consider: Execution of malicious script through web pages
A3 - broken authC / session mgt
Consider: Compromise of users' identities or sessions
A4 - Insecure Direct Object Reference
Consider: Unprotected Access to Internal Objects or Resources
[I don't particularly like this suggestion]
A5 - CSRF
Consider: Unintentional Requests Being Sent from Legitimate Users
A6 - Security Misconfiguration
might not need a name change
A7 - Failure to Restrict URL Access
Consider: Exposure of Restricted Functionality through URLs
A8 - Unvalidated Redirects and Forwards
Consider: Redirection to Unexpected or Malicious Web Sites
A9 - Insecure Cryptographic Storage
Consider: Theft or undetectable corruption of stored data
A10 - Insufficient Transport Layer Protection
Consider: Theft of data or user information during transmission
Almost everything else on the page could be the same, but this is a
slightly different presentation. And there's room for improvement for my
suggestions. Commonly-known terms like "injection" and "XSS" would need a
to be mentioned somewhere.
Hope somebody understands what I'm trying to get at, I'm having some
difficulty trying to explain it. It's different but I'm not fully sure if
it's any better.
More information about the Owasp-topten