[Owasp-topten] question about RC1

Dave Wichers dave.wichers at aspectsecurity.com
Wed Feb 17 20:44:24 EST 2010


Brad,

 

This is good input. All input welcome J Even if I don't agree.

 

Regarding the size of the buckets in the Top 10. On one hand, we want
them to be as big as possible, so we can include as much as we can,
which is why A1 and A3, and others, are pretty broad. On the other hand,
we want to emphasize some of the really important issues and if we just
smashed them into broad buckets, they would get lost. XSS, CSRF, and
Unchecked redirects are examples of that. We could simply call A1 SQL
Injection, since that is the bulk of the threat, but by calling it
injection, we get to talk about the other types too.

 

So, we are trying to balance being broad, with also providing emphasis
where we think it is needed, and so what we came up with is our opinion
of the right balance, right or wrong. And I certainly don't think that
is a black and white question or answer.

 

Regarding your suggestions for making the guidance for the new A8, that
is a very good idea and I'll work on that, and maybe get some people to
help with the article that it references, or we'll write a good 'cheat
sheet' on that subject. Care to volunteer to help with the content on
this topic on the wiki?? Hint hint.

 

Thanks for your input, and hopefully your help.

 

-Dave

 

From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Brad Causey
Sent: Wednesday, February 17, 2010 11:45 AM
To: Owasp-topten at lists.owasp.org
Subject: [Owasp-topten] question about RC1

 

before I start. I love the top ten, use it all the time. So take my
question in that context, as a user.

This may just be a fundamental difference in views, and if so, I'll keep
my further thoughts to myself.

The items listed in the top ten have varying level of specificity. For
example:

A2 - XSS really has two individual types, and I can understand why you
might combine them as they both have similar effects, and causes.

However,

A3 - Broken Authentication and Session Management, incorporates 15
individual findings and covers two entire finding types (from the
testing guide). This is extremely vague. Now I agree that these are
important topics, but wouldn't it make sense to focus on a few of the
most problematic ones?

A1 - Same as A3, there are at least 8 dramatically different 'injection'
type flaws in circulation (by my count). Wouldn't it serve us best to
say "SQL Injection" or 'XPath Injection".

Regarding A8 - There is a major lack of useful information for someone
looking to get help. The OWASP article referenced is all but empty. The
ESAPI is awesome for this, but many folks just need guidance.
The entry ignores the fix that I see the most which is destination host
checking. For example:

requests from yoursite.com?redir.php=mysite.com/path.html

would not be accepted, where as 

yoursite.com?redir.php=yoursite.com/path.html

would.

Now in full disclosure, it LOVE the fact that redirects were added to
the Top ten because they are definitely a problem. 

I guess what I'm getting at on this one is that we need to put more
back-end prep work on something new like A8, to ensure when people start
freaking (and trust me, they will) , that they have enough information
to do so sanely.

Now, feel free to flame me. =)



-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
"Si vis pacem, para bellum"
--

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20100217/a2cdb8c5/attachment.html 


More information about the Owasp-topten mailing list