[Owasp-topten] Risks vs Vulns

Abbas Naderi abbas.naderi at owasp.org
Sun Feb 17 16:35:58 UTC 2013


Hi Ryan,
I partially agree with you on this. I suggest you prepare something similar to As in the document with DOS, then we can talk about including it in.
Thanks
-Abbas
On ۲۹ بهمن ۱۳۹۱, at ۱۹:۰۸, Ryan Barnett <ryan.barnett at owasp.org> wrote:

> Before I dive into my sales pitch for why I think DoS should be in the Top 10, I thought I would take the opposite approach and ask – why is DoS not in the Top 10?
> 
> I understand that Risk ratings factor in different potential impacts (and data leakages can certainly have a big impact if customer data is stolen) but we also must take a look at what attacks are actively being used.  The Web Hacking Incident Database (WHID) helps provide data for attack likelihood/frequency as we track real world compromises rather than vulnerability prevalence. Here is a mapping of past Top 10 items to WHID entries -
> https://www.owasp.org/index.php/OWASP_Top_10/Mapping_to_WHID
> 
> Here is a listing of top Outcomes for 2012 and Downtime is #1 -
> https://www.google.com/fusiontables/DataSource?snapid=S886801Zyui
> 
> Here is a listing of all Downtime incidents -
> https://www.google.com/fusiontables/DataSource?snapid=S886617Awnp
> 
> Based on this info, App/layer DoS had got to be in the top 10.  Perhaps something to consider is WHO are the consumers of the Top 10?  Developers?  Many of the app layer DoS attacks target web server infrastructure components and can not be fixed by developers, however this does not dimish the negative impact to the web site. Another thing to consider is the whole mass assignment discussion as the end result is typically app DoS.
> 
> In WHID we provide different VIEWS of the data depending on the reader's perspective -
> 
> Attack View - is for the Breaker community
> Weakness View - is for the Builder community
> Outcome View - is for Business owners. 
> 
> Perhaps we can have similar views for the Top 10.
> 
> -Ryan
> 
> From: Tom Brennan <tomb at owasp.org>
> Date: Sunday, February 17, 2013 9:23 AM
> To: "owasp-topten at lists.owasp.org" <owasp-topten at lists.owasp.org>
> Subject: [Owasp-topten] Risks vs Vulns
> 
>> If the T10 is based on top risks not top vulns what web app does not have the availability risk of layer 7 application denial of service - many would agree is simply by design.
>> 
>> Based on a active discussion this weekend at Shmoocon in washington dc there was strong group of defenders that would lobby to call out this risk that has shown itself almost daily around the world since 2010.  Another point was since there are many classes of attack raising visibility for the T10 should also incorporate a matrix similar to http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20Reference%20View to proactively answer the how does this compare that is a FAQ to additionally build awareness (mission) and I suspect that since many community members are on this list, that is a separate consensus request
>> 
>> Finally a additional source of reference for data call managed by Ryan Barnett to be included, cross referenced http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database#RealTimeStatistics also provide 
>> 
>> OWASP Tool stable, for the community with 33k downloads
>> https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool and although many variants including SSL half connects and other combinations if it dies not fall as a Top 10 risk where would it fall on a Pentest centric project. Additionally testing guide references ihttps://www.owasp.org/index.php/Testing_for_Denial_of_Service 
>> 
>> What entity does not share this concern that has something to serve up. 
>> 
>> Discussion.
>> 
>> 
>> _______________________________________________ Owasp-topten mailing list Owasp-topten at lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-topten
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/edcb2456/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/edcb2456/attachment-0001.bin>


More information about the Owasp-topten mailing list