[Owasp-topten] Risks vs Vulns

Ryan Barnett ryan.barnett at owasp.org
Sun Feb 17 15:55:24 UTC 2013

One other comment for app-DoS and the data sets in use.  For all of the
assessment vendors listed as data sources ­ they almost never include DoS
testing as part of their engagements.  Orgs don't want to disrupt their
normal operations while assessment teams check the live sites for other
vulns, and I also believe that Orgs are drinking the Snake Oil of network
infrastructure vendors who claim that their appliance/device stops all DoS
traffic so they don't have to worry about that.

What you have ere is a recipe for disaster with regareds to defending
against Anonymous, wikileaks, LOIC/HOIC, slowloris, slow READ DoS, etcŠ type
app-layer DoS attacks.  Just ask the Finance sector how they feel about the
threat of DoS (as they have been hammered the past quarter or so).


From:  Ryan Barnett <ryan.barnett at owasp.org>
Date:  Sunday, February 17, 2013 10:38 AM
To:  Tom Brennan <tomb at owasp.org>, "owasp-topten at lists.owasp.org"
<owasp-topten at lists.owasp.org>
Subject:  Re: [Owasp-topten] Risks vs Vulns

> Before I dive into my sales pitch for why I think DoS should be in the Top 10,
> I thought I would take the opposite approach and ask ­ why is DoS not in the
> Top 10?
> I understand that Risk ratings factor in different potential impacts (and data
> leakages can certainly have a big impact if customer data is stolen) but we
> also must take a look at what attacks are actively being used.  The Web
> Hacking Incident Database (WHID) helps provide data for attack
> likelihood/frequency as we track real world compromises rather than
> vulnerability prevalence. Here is a mapping of past Top 10 items to WHID
> entries -
> https://www.owasp.org/index.php/OWASP_Top_10/Mapping_to_WHID
> Here is a listing of top Outcomes for 2012 and Downtime is #1 -
> https://www.google.com/fusiontables/DataSource?snapid=S886801Zyui
> Here is a listing of all Downtime incidents -
> https://www.google.com/fusiontables/DataSource?snapid=S886617Awnp
> Based on this info, App/layer DoS had got to be in the top 10.  Perhaps
> something to consider is WHO are the consumers of the Top 10?  Developers?
> Many of the app layer DoS attacks target web server infrastructure components
> and can not be fixed by developers, however this does not dimish the negative
> impact to the web site. Another thing to consider is the whole mass assignment
> discussion as the end result is typically app DoS.
> In WHID we provide different VIEWS of the data depending on the reader's
> perspective -
> Attack View - is for the Breaker community
> Weakness View - is for the Builder community
> Outcome View - is for Business owners.
> Perhaps we can have similar views for the Top 10.
> -Ryan
> From:  Tom Brennan <tomb at owasp.org>
> Date:  Sunday, February 17, 2013 9:23 AM
> To:  "owasp-topten at lists.owasp.org" <owasp-topten at lists.owasp.org>
> Subject:  [Owasp-topten] Risks vs Vulns
>> If the T10 is based on top risks not top vulns what web app does not have the
>> availability risk of layer 7 application denial of service - many would agree
>> is simply by design.
>> Based on a active discussion this weekend at Shmoocon in washington dc there
>> was strong group of defenders that would lobby to call out this risk that has
>> shown itself almost daily around the world since 2010.  Another point was
>> since there are many classes of attack raising visibility for the T10 should
>> also incorporate a matrix similar to
>> http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxon
>> omy%20Cross%20Reference%20View to proactively answer the how does this
>> compare that is a FAQ to additionally build awareness (mission) and I suspect
>> that since many community members are on this list, that is a separate
>> consensus request
>> Finally a additional source of reference for data call managed by Ryan
>> Barnett to be included, cross referenced
>> http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database#R
>> ealTimeStatistics also provide
>> OWASP Tool stable, for the community with 33k downloads
>> https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool and although many
>> variants including SSL half connects and other combinations if it dies not
>> fall as a Top 10 risk where would it fall on a Pentest centric project.
>> Additionally testing guide references
>> ihttps://www.owasp.org/index.php/Testing_for_Denial_of_Service
>> What entity does not share this concern that has something to serve up.
>> Discussion.
>> _______________________________________________ Owasp-topten mailing list
>> Owasp-topten at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-to
>> pten

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/aca2bea3/attachment.html>

More information about the Owasp-topten mailing list