[Owasp-topten] Risks vs Vulns
ryan.barnett at owasp.org
Sun Feb 17 16:55:02 UTC 2013
Appplication DoS was already in the Top 10 2004 -
can use that as a base for discussion. The key point I would raise with
regard to "Am I vulnerable…" and references are the Slow Request/Read attack
scenarios employed by a large number of attack tools today that weren't
prevalent back in 2004. From a "How do I prevent DoS" perspective, I would
definitey reference the UserTrend/SystemTrend categories of AppSensor
Detection Points -
From: Abbas Naderi <abbas.naderi at owasp.org>
Date: Sunday, February 17, 2013 11:35 AM
To: Ryan Barnett <ryan.barnett at owasp.org>
Cc: Tom Brennan <tomb at owasp.org>, "owasp-topten at lists.owasp.org"
<owasp-topten at lists.owasp.org>
Subject: Re: [Owasp-topten] Risks vs Vulns
> Hi Ryan,
> I partially agree with you on this. I suggest you prepare something similar to
> As in the document with DOS, then we can talk about including it in.
> On ۲۹ بهمن ۱۳۹۱, at ۱۹:۰۸, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>> Before I dive into my sales pitch for why I think DoS should be in the Top
>> 10, I thought I would take the opposite approach and ask – why is DoS not in
>> the Top 10?
>> I understand that Risk ratings factor in different potential impacts (and
>> data leakages can certainly have a big impact if customer data is stolen) but
>> we also must take a look at what attacks are actively being used. The Web
>> Hacking Incident Database (WHID) helps provide data for attack
>> likelihood/frequency as we track real world compromises rather than
>> vulnerability prevalence. Here is a mapping of past Top 10 items to WHID
>> entries -
>> Here is a listing of top Outcomes for 2012 and Downtime is #1 -
>> Here is a listing of all Downtime incidents -
>> Based on this info, App/layer DoS had got to be in the top 10. Perhaps
>> something to consider is WHO are the consumers of the Top 10? Developers?
>> Many of the app layer DoS attacks target web server infrastructure components
>> and can not be fixed by developers, however this does not dimish the negative
>> impact to the web site. Another thing to consider is the whole mass
>> assignment discussion as the end result is typically app DoS.
>> In WHID we provide different VIEWS of the data depending on the reader's
>> perspective -
>> Attack View - is for the Breaker community
>> Weakness View - is for the Builder community
>> Outcome View - is for Business owners.
>> Perhaps we can have similar views for the Top 10.
>> From: Tom Brennan <tomb at owasp.org>
>> Date: Sunday, February 17, 2013 9:23 AM
>> To: "owasp-topten at lists.owasp.org" <owasp-topten at lists.owasp.org>
>> Subject: [Owasp-topten] Risks vs Vulns
>>> If the T10 is based on top risks not top vulns what web app does not have
>>> the availability risk of layer 7 application denial of service - many would
>>> agree is simply by design.
>>> Based on a active discussion this weekend at Shmoocon in washington dc there
>>> was strong group of defenders that would lobby to call out this risk that
>>> has shown itself almost daily around the world since 2010. Another point
>>> was since there are many classes of attack raising visibility for the T10
>>> should also incorporate a matrix similar to
>>> nomy%20Cross%20Reference%20View to proactively answer the how does this
>>> compare that is a FAQ to additionally build awareness (mission) and I
>>> suspect that since many community members are on this list, that is a
>>> separate consensus request
>>> Finally a additional source of reference for data call managed by Ryan
>>> Barnett to be included, cross referenced
>>> RealTimeStatistics also provide
>>> OWASP Tool stable, for the community with 33k downloads
>>> https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool and although many
>>> variants including SSL half connects and other combinations if it dies not
>>> fall as a Top 10 risk where would it fall on a Pentest centric project.
>>> Additionally testing guide references
>>> What entity does not share this concern that has something to serve up.
>>> _______________________________________________ Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-t
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten