[Owasp-topten] my comments

S.Dalili soroush.dalili at owasp.org
Mon Feb 18 21:05:20 UTC 2013


Hello everyone,
First of all, thank you very much for providing us with the new version of this document. I saw this topic via the OWASP feed today.
I had a quick look at the titles of OWASP top 10 – 2013, and now I have got a comment/question (this may have already been discussed but it may add another value to the original thought).
I think OWASP Top 10 needs to be clear for everyone i.e. managers, developers, and security researchers. We know other standards such as PCI and also security reports templates will use OWASP top 10 categorization. Therefore, it needs to be very clear and we should be able to categorize the risks/issues without any confusion. However, any overlap can make this harder.
I think, “A4- Insecure Direct Object References” has a major overlap with “A7 – Missing Function Level Access Control”. Let me explain why I think like that:
Please look at “A4 - Example Attack Scenario” section. If I find out that I can see other people’s data by changing the account number, is it “A4 - direct object reference” issue, “A7 – Access control issue” issue, or both? I think it is both when many web applications such as Bugzilla are using access controls and others are using indirect object references.
I think we need to be more specific about the titles here.
Another controversial topic is “Using Known Vulnerable Components” – Instead of saying using known or unknown vulnerable components, I think it is better to say “Having 3rd Party Vulnerable/Weak Components”; which means: the component that has been used is vulnerable now despite the fact that it has a known or unknown issue (vulnerability has been found during the pentest or it has already been reported as a CVE).
These are only my opinions and I hope it helps the OWASP top 10 development.
 
Many Thanks,
Soroush

PS1: I did not want to discuss the confusion of “vulnerabilities” vs “attacks” vs “risks” in OWASP Top 10 as it is already a known controversial topic.
PS2: I will share it via Twitter so more people can be involved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130218/8b515d88/attachment.html>


More information about the Owasp-topten mailing list