[Owasp-topten] [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

Wong Onn Chee ocwong at owasp.org
Sat Feb 16 02:49:48 UTC 2013


Hi folks

One more feedback regarding A6, Sensitive Data Exposure.

In the "How Do I Prevent This?" section, I suggest we advise the readers
to check and inspect the outbound traffic from web apps.

Just like how the customs folks have to inspect the luggage leaving the
airports to ensure no undeclared valuables are "leaked out", we can
hardly convince the user that nothing sensitive is being exposed if we
do not check the traffic going out.

It is akin to us reassuring the users that a web app is secure without
looking at the source code.

Just my $0.02. :-)

Thank you for your attention.

Best Regards
Wong Onn Chee
OWASP Singapore Chapter Lead


On 16/02/2013 10:14, Wong Onn Chee wrote:
> Hi Dave and team,
>
> Well done!
>
> Have a feedback about A9.
>
> A9 seems to be one of the numerous ways how the actual
> vulnerabilities/risks, e.g. SQL injection, XSS and etc, are being
> introduced. It does not seem substantial enough to stand alone as an
> individual risk.
>
> In actual fact, the analysis mentioned this "including injection,
> broken access control, XSS, etc." under the technical impact. Does
> that mean the root cause is still back to the Top 3 risks in OWASP Top
> 10 2013?
>
> If we are still going along this thread of thought, will a better
> alternative be "Lack of source code review" or "Negligence in patching"?
>
> Recently, after a massive hack of 17 Singapore government agency
> websites, I was asked to provide my $0.02, being the local OWASP rep.
> The agency was obviously using insecure and unpatched
> frameworks/platform for the 17 websites. However, they were not aware
> of this when they first deployed the framework/platform (it was the
> most updated version then). But a simple source code review would have
> discovered the loopholes even before the initial deployment.
> Thereafter, when new security fixes were released, they were not
> applied resulting in the eventual massive hack.
>
> (PS: The Singapore government FINALLY requires the government agencies
> to conduct source reviews for web apps after my shameless push for
> secure codes! Hooray!)
>
> Fair enough, the root cause(s) still relates back to the usual Top 3
> risks.
> Similar to the proposed A9 item. ;-)
>
> Hope my $0.02 is of some help.
>
> BTW, can I make reference to the new OWASP Top 10 2013 RC in next
> week's OWASP AppSec Asia in Jeju?
>
> Also, any advance plans for the ESAPI team to update the ESAPI
> libraries to protect the new risks covered by OWASP Top 10 2013?
>
> Best Regards
> Onn Chee
> OWASP Singapore
>
> On 16/02/2013 00:25, Dave Wichers wrote:
>>
>> OWASP Leaders!
>>
>>  
>>
>> The Release Candidate for the OWASP Top 10 – 2013 is now available!
>> (Attached)
>>
>>  
>>
>> *It’s also available for Download here
>> <http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf>**__*
>>
>>  
>>
>> A press release for this should be coming out later today.
>>
>>  
>>
>> Please forward to all the developers and development teams you know!!
>> I’d love to get feedback from them too, and to start immediately
>> raising awareness about what’s changed in this update to the Top 10.
>> The primary change is the addition of the new category: *A9-Using
>> Components with Known Vulnerabilities*
>>
>>  
>>
>>  
>>
>> We plan to release the final version of the OWASP Top 10 - 2013 in
>> April or May 2013 after a public comment period ending March 30, 2013.
>>
>>  
>>
>> Constructive comments on this OWASP Top 10 - 2013 Release Candidate
>> should be forwarded via email to OWASP-TopTen at lists.owasp.org
>> <mailto:OWASP-TopTen at lists.owasp.org>. Private comments may be sent
>> to dave.wichers at owasp.org <mailto:dave.wichers at owasp.org> . 
>> Anonymous comments are welcome.  All  non-private comments will be
>> catalogued and published at the same time as the final public
>> release.  Comments recommending changes to the items listed in the
>> Top 10 should include a complete suggested list of 10 items, along
>> with a rationale for any changes. All comments should indicate the
>> specific relevant page and section.
>>
>>  
>>
>> Your feedback is critical to the continued success of the OWASP Top
>> 10 Project. Thank you all for your dedication to improving the
>> security of the world’s software for everyone.
>>
>>  
>>
>> Thanks, Dave
>>
>>  
>>
>> OWASP Top 10 Project Lead
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130216/c00996b0/attachment.html>


More information about the Owasp-topten mailing list