[Owasp-topten] 2013 A7 - Access Control

Abbas Naderi abbas.naderi at owasp.org
Fri Feb 15 20:55:56 UTC 2013


Agree with this one, how about changing the title to "Using outdated third-party software"?

Also whats your opinion on other issues?
-Abbas
On ۲۷ بهمن ۱۳۹۱, at ۲۳:۴۵, Ryan Dewhurst <ryandewhurst at gmail.com> wrote:

> Some good points raised.
> 
> Maybe A9 could be titled to include the word "outdated" as most
> software with "known vulnerabilities" should have already been patched
> and therefor be outdated as mentioned in the "How do I prevent This?"
> box.
> 
> Something like:
> 
> "The ues of outdated third-party software"
> 
> On Fri, Feb 15, 2013 at 5:47 PM, Abbas Naderi <abbas.naderi at owasp.org> wrote:
>> Hello there folks,
>> 
>> A few comments on RC 2013, which is my own opinion as well as opinion of
>> countless people who have contacted me as OWASP official of my region:
>> 
>> One of the worst things about top ten - which countless people contact me
>> about everyday - are complex titles. Why not replace Missing Function Level
>> Access Control with Insufficient Access Control? Everybody knows what access
>> control and insufficient means, but without reading the description nobody
>> will know what function level in the context is supposed to mean.
>> 
>> 
>> I don't see a clear distinction between A4 (which has a very mysterious
>> title and has held it for 10 years now) and A7. They are basically the same
>> thing, and I assume the correct position is indeed A4. What current A4 has
>> (and have had) only boggles the minds of developers who haven't experienced
>> it before. I think the correct way would be to just name it insufficient
>> access control. Everyday apps require access control on every single task.
>> 
>> 
>> I also suggest changing the following from A2 Authentication:
>> 
>> Are credentials always protected when stored using hashing or encryption?
>> See A6.
>> 
>> to
>> 1. Are credentials stored using cryptographically secure hashing and
>> encryption?
>> 
>> What I see is most people tend to store passwords as MD5 hashes, at least 10
>> times more than people who store them in cleartext. They both are essential
>> flaws but a person employing MD5 would think it is secure by reading this.
>> 
>> 
>> The defense for Insecure Direct Object Reference is something you can never
>> expect developers to do, unless they realize why. The more logical approach
>> is to ask them to enforce access control on everything, and then to
>> indirectly reference sensitive data. The trade-off is just not logical.
>> 
>> Again, A7 states three scenarios which are basically the same. It has like
>> 80% common ground with A4, and separating them is just caused by long years
>> of Top Ten existence, not reality. I need other peoples opinion on this.
>> 
>> I think it is worth mentioning that defense against CSRF is not that simple
>> and requires some effort.
>> 
>> I suggest renaming A9 to "Using Vulnerable 3rd Party" or "Using Vulnerable
>> Tools", because we mean 3rd party tools not developed components of the
>> local company.
>> 
>> Thats all, I'd really appreciate some feedback on this.
>> Thanks
>> -Abbas
>> ______________________________________________________________
>> Notice: This message is digitally signed, its source and integrity are
>> verifiable.
>> If you mail client does not support S/MIME verification, it will display a
>> file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird in
>> AbiusX.com
>> 
>> 
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130216/e4052b9e/attachment-0001.bin>


More information about the Owasp-topten mailing list