[Owasp-topten] question about RC1

Brad Causey bradcausey at gmail.com
Thu Feb 18 13:53:21 EST 2010


Hey Dave,

That does make sense, and now that you've explained it as such, I completely
understand. Sorry for my confusion.
What kind of guy would I be if I didn't offer help! Count me in on the open
redirect for the wiki. I'm a bit underwater right now, but I'd like to get
it done in time for the release.

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
"Si vis pacem, para bellum"
--


On Wed, Feb 17, 2010 at 7:44 PM, Dave Wichers <
dave.wichers at aspectsecurity.com> wrote:

>  Brad,
>
>
>
> This is good input. All input welcome J Even if I don’t agree.
>
>
>
> Regarding the size of the buckets in the Top 10. On one hand, we want them
> to be as big as possible, so we can include as much as we can, which is why
> A1 and A3, and others, are pretty broad. On the other hand, we want to
> emphasize some of the really important issues and if we just smashed them
> into broad buckets, they would get lost. XSS, CSRF, and Unchecked redirects
> are examples of that. We could simply call A1 SQL Injection, since that is
> the bulk of the threat, but by calling it injection, we get to talk about
> the other types too.
>
>
>
> So, we are trying to balance being broad, with also providing emphasis
> where we think it is needed, and so what we came up with is our opinion of
> the right balance, right or wrong. And I certainly don’t think that is a
> black and white question or answer.
>
>
>
> Regarding your suggestions for making the guidance for the new A8, that is
> a very good idea and I’ll work on that, and maybe get some people to help
> with the article that it references, or we’ll write a good ‘cheat sheet’ on
> that subject. Care to volunteer to help with the content on this topic on
> the wiki?? Hint hint.
>
>
>
> Thanks for your input, and hopefully your help.
>
>
>
> -Dave
>
>
>
> *From:* owasp-topten-bounces at lists.owasp.org [mailto:
> owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Brad Causey
> *Sent:* Wednesday, February 17, 2010 11:45 AM
> *To:* Owasp-topten at lists.owasp.org
> *Subject:* [Owasp-topten] question about RC1
>
>
>
> before I start. I love the top ten, use it all the time. So take my
> question in that context, as a user.
>
> This may just be a fundamental difference in views, and if so, I'll keep my
> further thoughts to myself.
>
> The items listed in the top ten have varying level of specificity. For
> example:
>
> A2 - XSS really has two individual types, and I can understand why you
> might combine them as they both have similar effects, and causes.
>
> However,
>
> A3 - Broken Authentication and Session Management, incorporates 15
> individual findings and covers two entire finding types (from the testing
> guide). This is extremely vague. Now I agree that these are important
> topics, but wouldn't it make sense to focus on a few of the most problematic
> ones?
>
> A1 - Same as A3, there are at least 8 dramatically different 'injection'
> type flaws in circulation (by my count). Wouldn't it serve us best to say
> "SQL Injection" or 'XPath Injection".
>
> Regarding A8 - There is a major lack of useful information for someone
> looking to get help. The OWASP article referenced is all but empty. The
> ESAPI is awesome for this, but many folks just need guidance.
> The entry ignores the fix that I see the most which is destination host
> checking. For example:
>
> requests from yoursite.com?redir.php=mysite.com/path.html
>
> would not be accepted, where as
>
> yoursite.com?redir.php=yoursite.com/path.html
>
> would.
>
> Now in full disclosure, it LOVE the fact that redirects were added to the
> Top ten because they are definitely a problem.
>
> I guess what I'm getting at on this one is that we need to put more
> back-end prep work on something new like A8, to ensure when people start
> freaking (and trust me, they will) , that they have enough information to do
> so sanely.
>
> Now, feel free to flame me. =)
>
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> "Si vis pacem, para bellum"
> --
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20100218/10bbfa3b/attachment.html 


More information about the Owasp-topten mailing list