[Owasp-topten] An alternate view of "Risks"
robert at webappsec.org
robert at webappsec.org
Mon Nov 23 14:16:53 EST 2009
> I've been thinking on what Robert said about trying to be better about
> terminology, and while I originally thought that I understood "risk" in
> the context of early drafts of the Top Ten, now I'm not so sure. At the
> very least, the T10 still has the problem of using attack-ish/weakness-ish
> terminology in the names. There's a challenge of using commonly-known
> terminology so you don't leave your core audience in the dark, and I'm
> definitely an advocate for using established terminology where feasible.
> Perhaps one way of addressing this would be to change the current names
> and maybe make another minor tweak here and there into something that I
> think of as "risk," which is going to smell a lot like "attack" to some
> people, "threat" to others, and maybe there's some notion of "technical
> impact," too.
> A1 - Injection
> could be renamed to:
> Modification of queries or commands to the back-end interpreter
> This is not necessarily "attack" the way I think of it - this doesn't get
> into any specifics about the method/procedure/technique that the attackers
> uses to accomplish the goal.
> A programmer or development manager seeing this new name might react in
> the following fashion: "wait, attackers can modify my queries? That's a
> big concern." That speaks more directly to people than "Injection."
> A2 - XSS
> Consider: Execution of malicious script through web pages
> A3 - broken authC / session mgt
> Consider: Compromise of users' identities or sessions
> A4 - Insecure Direct Object Reference
> Consider: Unprotected Access to Internal Objects or Resources
> [I don't particularly like this suggestion]
> A5 - CSRF
> Consider: Unintentional Requests Being Sent from Legitimate Users
> A6 - Security Misconfiguration
> might not need a name change
> A7 - Failure to Restrict URL Access
> Consider: Exposure of Restricted Functionality through URLs
> A8 - Unvalidated Redirects and Forwards
> Consider: Redirection to Unexpected or Malicious Web Sites
> A9 - Insecure Cryptographic Storage
> Consider: Theft or undetectable corruption of stored data
> A10 - Insufficient Transport Layer Protection
> Consider: Theft of data or user information during transmission
> Hope somebody understands what I'm trying to get at, I'm having some
> difficulty trying to explain it. It's different but I'm not fully sure if
> it's any better.
While I may not entirely agree with the particular renaming suggestions, I do agree with your conclusion for the context
of risks. While your email may be considered a wrench throw into the gears of the top ten, I think this is a good opportunity
to clarify scope/terminology to assist this document with its maturity. The Top 10 is utilized in PCI (as Dave points out https://lists.owasp.org/pipermail/owasp-topten/2009-November/000499.html), and given its importance/impact to an organizations
requirements, should have as clear of a message as possible to remove ambiguity not only in its logic, but by its consumers as well.
I've noticed that neither of our threads have received a single reply, would be great to see what others on the list/working group
have to say that may fill in some of the gaps/misconceptions/conversations we may have missed.
- Robert A.
> - Steve
More information about the Owasp-topten