[Owasp-topten] Risks vs Vulns

Ryan Barnett ryan.barnett at owasp.org
Sun Feb 17 16:55:02 UTC 2013


Appplication DoS was already in the Top 10 2004 -
https://www.owasp.org/index.php/A9_2004_Application_Denial_of_Service.  We
can use that as a base for discussion.  The key point I would raise with
regard to "Am I vulnerable…" and references are the Slow Request/Read attack
scenarios employed by a large number of attack tools today that weren't
prevalent back in 2004.  From a "How do I prevent DoS" perspective, I would
definitey reference the UserTrend/SystemTrend categories of AppSensor
Detection Points - 

https://www.owasp.org/index.php/AppSensor_DetectionPoints#UserTrendException
.
https://www.owasp.org/index.php/AppSensor_DetectionPoints#SystemTrendExcepti
on

-Ryan

From:  Abbas Naderi <abbas.naderi at owasp.org>
Date:  Sunday, February 17, 2013 11:35 AM
To:  Ryan Barnett <ryan.barnett at owasp.org>
Cc:  Tom Brennan <tomb at owasp.org>, "owasp-topten at lists.owasp.org"
<owasp-topten at lists.owasp.org>
Subject:  Re: [Owasp-topten] Risks vs Vulns

> Hi Ryan,
> I partially agree with you on this. I suggest you prepare something similar to
> As in the document with DOS, then we can talk about including it in.
> Thanks
> -Abbas
> On ۲۹ بهمن ۱۳۹۱, at ۱۹:۰۸, Ryan Barnett <ryan.barnett at owasp.org> wrote:
> 
>> Before I dive into my sales pitch for why I think DoS should be in the Top
>> 10, I thought I would take the opposite approach and ask – why is DoS not in
>> the Top 10?
>> 
>> I understand that Risk ratings factor in different potential impacts (and
>> data leakages can certainly have a big impact if customer data is stolen) but
>> we also must take a look at what attacks are actively being used.  The Web
>> Hacking Incident Database (WHID) helps provide data for attack
>> likelihood/frequency as we track real world compromises rather than
>> vulnerability prevalence. Here is a mapping of past Top 10 items to WHID
>> entries -
>> https://www.owasp.org/index.php/OWASP_Top_10/Mapping_to_WHID
>> 
>> Here is a listing of top Outcomes for 2012 and Downtime is #1 -
>> https://www.google.com/fusiontables/DataSource?snapid=S886801Zyui
>> 
>> Here is a listing of all Downtime incidents -
>> https://www.google.com/fusiontables/DataSource?snapid=S886617Awnp
>> 
>> Based on this info, App/layer DoS had got to be in the top 10.  Perhaps
>> something to consider is WHO are the consumers of the Top 10?  Developers?
>> Many of the app layer DoS attacks target web server infrastructure components
>> and can not be fixed by developers, however this does not dimish the negative
>> impact to the web site. Another thing to consider is the whole mass
>> assignment discussion as the end result is typically app DoS.
>> 
>> In WHID we provide different VIEWS of the data depending on the reader's
>> perspective -
>> 
>> Attack View - is for the Breaker community
>> Weakness View - is for the Builder community
>> Outcome View - is for Business owners.
>> 
>> Perhaps we can have similar views for the Top 10.
>> 
>> -Ryan
>> 
>> From:  Tom Brennan <tomb at owasp.org>
>> Date:  Sunday, February 17, 2013 9:23 AM
>> To:  "owasp-topten at lists.owasp.org" <owasp-topten at lists.owasp.org>
>> Subject:  [Owasp-topten] Risks vs Vulns
>> 
>>> If the T10 is based on top risks not top vulns what web app does not have
>>> the availability risk of layer 7 application denial of service - many would
>>> agree is simply by design.
>>> 
>>> Based on a active discussion this weekend at Shmoocon in washington dc there
>>> was strong group of defenders that would lobby to call out this risk that
>>> has shown itself almost daily around the world since 2010.  Another point
>>> was since there are many classes of attack raising visibility for the T10
>>> should also incorporate a matrix similar to
>>> http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxo
>>> nomy%20Cross%20Reference%20View to proactively answer the how does this
>>> compare that is a FAQ to additionally build awareness (mission) and I
>>> suspect that since many community members are on this list, that is a
>>> separate consensus request
>>> 
>>> Finally a additional source of reference for data call managed by Ryan
>>> Barnett to be included, cross referenced
>>> http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database#
>>> RealTimeStatistics also provide
>>> 
>>> OWASP Tool stable, for the community with 33k downloads
>>> https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool and although many
>>> variants including SSL half connects and other combinations if it dies not
>>> fall as a Top 10 risk where would it fall on a Pentest centric project.
>>> Additionally testing guide references
>>> ihttps://www.owasp.org/index.php/Testing_for_Denial_of_Service
>>> 
>>> What entity does not share this concern that has something to serve up.
>>> 
>>> Discussion.
>>> 
>>> 
>>> _______________________________________________ Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-t
>>> opten
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/415f7af3/attachment-0001.html>


More information about the Owasp-topten mailing list