[Owasp-topten] [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

Tobias tobias.gondrom at owasp.org
Mon Feb 18 12:45:56 UTC 2013


Hi all,

thanks a lot for the update of the OWASP Top-Ten.
I have to agree a bit with Dennis, that we should do more ("than
potentially just repackaging the same thing all the time").

And I am still not fully in line with the fact that we remove 2010.A9
from the list as I believe that this risk is still a significant
problem. Although we fixed part of it with RFC6797 (HSTS), and key
pinning, this is far from over! And until all these things have been
widely implemented (which could still take a while).

Best regards, Tobias



On 16/02/13 04:06, Dennis Groves wrote:
>
>
>       The OWASP Top 10.
>
> The OWASP Top Ten <https://www.owasp.org/index.php/Top_10_2010> became
> the defacto standard in 2005 when PCI Security Standards Council.
> "About the PCI Data Security Standard (PCI DSS)" endorsed it as a
> requirement for PCI DSS compliance. OWASP revises the Top 10 every 2
> years to keep it current with the threat landscape. Here is the
> complete OWASP Top 19:
>
> OWASP Top 19 	2004 	2007 	2010 	2013
> Unvalidated Input 	A01 	--- 	--- 	---
> Broken Access Control 	A02 	--- 	--- 	---
> Broken Authentication & Session Management 	A03 	A07 	A03 	A02
> Cross Site Scripting (XSS) 	A04 	A01 	A02 	A03
> Buffer Overflow 	A05 	--- 	--- 	---
> Injection Flaws 	A06 	A02 	A01 	A01
> Information Leakage & Improper Error Handling 	A07 	A06 	--- 	---
> Insecure Storage 	A08 	A08 	A07 	---
> Application Denial of Service 	A09 	--- 	--- 	---
> Insecure Configuration Management 	A10 	--- 	A06 	A05
> Malicious File Execution 	--- 	A03 	--- 	---
> Insecure Direct Object Reference 	--- 	A04 	A04 	A04
> Cross Site Request Forgery (CSRF) 	--- 	A05 	A05 	A08
> Insecure Communications 	--- 	A09 	A09 	---
> Failure to Restrict URL Access 	--- 	A10 	A08 	---
> Unvalidated Redirects and Forwards 	--- 	--- 	A10 	A10
> Sensitive Data Exposure 	--- 	--- 	--- 	A06
> Missing Function Level Access Control 	--- 	--- 	--- 	A07
> Using Known Vulnerable Components 	--- 	--- 	--- 	A09
>
> Do you notice a pattern? I do, remove 3 things and add three new ones,
> which are really just new words for the old things, and flavor the
> document with a new colour! I can even predict the 2015 top 10, we can
> start picking three from the list, that have been haven't appeared
> since 2007 and change the colour to brown.
>
> I am a bit disappointed that something so visible and so important to
> *Aspect, Trustwave and WhiteHat* is nothing more than a luke warm make
> over of material from 2007 essentially thrown together. How about some
> root cause analysis? The OWASP Top 19 looks like 3 issues to me from a
> root cause analysis perspective. /I'll even give you a hint: Identity
> management, access control and input validation, but not in that order./
>
> This is perhaps the most visible and important project; it seems to me
> we could and should be doing a lot more that just repackaging the same
> thing all the time.
>
> *The whole world is watching and this is a big opportunity to make a
> difference, I think it deservers more than a luke warm make-over.*
>
> Dennis
>
> ------------------------------------------------------------------------
>
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me <mailto:dennis.groves at owasp.org> or schedule a meeting
> <http://goo.gl/8sPIy>.
>
> /This email is licensed under a CC BY-ND 3.0
> <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license./
>
> *Please do not send me Microsoft Office/Apple iWork documents.*
> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
> Stand up for your freedom to install free software
> <http://www.fsf.org/campaigns/secure-boot/statement>.
>
>     The idea that some lives matter less is the root of all that's
>     wrong with the world. -- Paul Farmer
>
>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130218/72987a56/attachment.html>


More information about the Owasp-topten mailing list