[Owasp-topten] RC1 comments

Chris Eng ceng at veracode.com
Sun Feb 17 20:46:45 UTC 2013


It’s also worth thinking about who’s using the OWASP Top Ten.  In theory it’s enterprise developers.  In practice it’s enterprise risk management (CISO/CIO), some enterprise developers, and some penetration testers (if they’re being used to satisfy PCI requirements, for example).  Neither of those groups includes Bob’s Open Source PHP Guestbook.

While there is some truth to the Imperva post, measuring the percentage of server-side programming languages “out there on the Internet” isn’t exactly the most accurate way to measure enterprise risk either.  Many or most of those PHP apps may not be subject to any regulatory requirements and most of them probably don’t house any sensitive data.  In other words there’s a lot of RFI out there in places that are pretty irrelevant.  Our (Veracode) data is a reflection of what enterprises are using, not the sum total of all servers on the Internet.

Incidentally, in the 2010 Top Ten, RFI was included in part of 2010-A4 (Insecure Direct Object References) according to the CWE hierarchy. So it should continue to be included in audit criteria as part of 2013-A4. Despite the Imperva post, it absolutely is part of the OWASP Top Ten, just not one of the top-level categories. To me this seems appropriate.


From: owasp-topten-bounces at lists.owasp.org [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Pawel Krawczyk
Sent: Sunday, February 17, 2013 1:52 PM
To: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] RC1 comments



Well LFI, yes, but LFI has such low impact (though there are many ways to convert it to RFI) that nobody cares.


If LFI/RFI has such low impact, how come they account for almost 40% defacements (Dec 2012-Feb 2013):
  File Inclusion 36.884%
Anything that allows you to execute your code on the server will be high impact in most cases. Example (1 million sites hacked, today Bing still shows 460k results):

http://blog.sucuri.net/2011/10/timthumb-php-mass-infection-aftermath-part-i.html

Comment from Imperva on the same topic of LFI/RFI which I fully agree with:

http://blog.imperva.com/2011/12/why-rfi-gets-no-respect.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/b31f7045/attachment.html>


More information about the Owasp-topten mailing list