[Owasp-topten] An alternate view of "Risks"

robert at webappsec.org robert at webappsec.org
Mon Nov 23 14:16:53 EST 2009


> I've been thinking on what Robert said about trying to be better about
> terminology, and while I originally thought that I understood "risk" in
> the context of early drafts of the Top Ten, now I'm not so sure.  At the
> very least, the T10 still has the problem of using attack-ish/weakness-ish
> terminology in the names.  There's a challenge of using commonly-known
> terminology so you don't leave your core audience in the dark, and I'm
> definitely an advocate for using established terminology where feasible.
> 
> Perhaps one way of addressing this would be to change the current names
> and maybe make another minor tweak here and there into something that I
> think of as "risk," which is going to smell a lot like "attack" to some
> people, "threat" to others, and maybe there's some notion of "technical
> impact," too.
> 
> A1 - Injection
> 
> could be renamed to:
> 
>   Modification of queries or commands to the back-end interpreter
> 
> This is not necessarily "attack" the way I think of it - this doesn't get
> into any specifics about the method/procedure/technique that the attackers
> uses to accomplish the goal.
> 
> A programmer or development manager seeing this new name might react in
> the following fashion:  "wait, attackers can modify my queries?  That's a
> big concern."  That speaks more directly to people than "Injection."
> 
> A2 - XSS
> 
>    Consider: Execution of malicious script through web pages
> 
> A3 - broken authC / session mgt
> 
>    Consider: Compromise of users' identities or sessions
> 
> A4 - Insecure Direct Object Reference
> 
>    Consider: Unprotected Access to Internal Objects or Resources
> 
>    [I don't particularly like this suggestion]
> 
> A5 - CSRF
> 
>    Consider: Unintentional Requests Being Sent from Legitimate Users
> 
> A6 - Security Misconfiguration
> 
>    might not need a name change
> 
> A7 - Failure to Restrict URL Access
> 
>    Consider: Exposure of Restricted Functionality through URLs
> 
> A8 - Unvalidated Redirects and Forwards
> 
>    Consider: Redirection to Unexpected or Malicious Web Sites
> 
> A9 - Insecure Cryptographic Storage
> 
>    Consider: Theft or undetectable corruption of stored data
> 
> A10 - Insufficient Transport Layer Protection
> 
>    Consider: Theft of data or user information during transmission
> 
> Hope somebody understands what I'm trying to get at, I'm having some
> difficulty trying to explain it.  It's different but I'm not fully sure if
> it's any better.


Hello Steven!

While I may not entirely agree with the particular renaming suggestions, I do agree with your conclusion for the context 
of risks. While your email may be considered a wrench throw into the gears of the top ten, I think this is a good opportunity 
to clarify scope/terminology to assist this document with its maturity. The Top 10 is utilized in PCI (as Dave points out https://lists.owasp.org/pipermail/owasp-topten/2009-November/000499.html), and given its importance/impact to an organizations 
requirements, should have as clear of a message as possible to remove ambiguity not only in its logic, but by its consumers as well. 
I've noticed that neither of our threads have received a single reply, would be great to see what others on the list/working group
have to say that may fill in some of the gaps/misconceptions/conversations we may have missed.

Regards,
- Robert A.
http://www.webappsec.org/
http://www.cgisecurity.com/
http://www.qasec.com/


> - Steve



More information about the Owasp-topten mailing list