[Owasp-topten] Risks vs Vulns

Tom Brennan tomb at owasp.org
Sun Feb 17 14:23:23 UTC 2013


If the T10 is based on top risks not top vulns what web app does not have the availability risk of layer 7 application denial of service - many would agree is simply by design.

Based on a active discussion this weekend at Shmoocon in washington dc there was strong group of defenders that would lobby to call out this risk that has shown itself almost daily around the world since 2010.  Another point was since there are many classes of attack raising visibility for the T10 should also incorporate a matrix similar to http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20Reference%20View to proactively answer the how does this compare that is a FAQ to additionally build awareness (mission) and I suspect that since many community members are on this list, that is a separate consensus request

Finally a additional source of reference for data call managed by Ryan Barnett to be included, cross referenced http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database#RealTimeStatistics also provide 

OWASP Tool stable, for the community with 33k downloads
https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool and although many variants including SSL half connects and other combinations if it dies not fall as a Top 10 risk where would it fall on a Pentest centric project. Additionally testing guide references ihttps://www.owasp.org/index.php/Testing_for_Denial_of_Service 

What entity does not share this concern that has something to serve up. 

Discussion.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/9b702115/attachment.html>


More information about the Owasp-topten mailing list