[Owasp-topten] my comments

Abbas Naderi abbas.naderi at owasp.org
Tue Feb 19 05:41:55 UTC 2013

Well everyone, I think this is the 6th time I hear these comments this week (besides myself giving them out!), so all in favor of the changes below please vote:

	1. Mixing A4 (Insecure Direct Object Reference) with A7 (Missing Function Level Access Control) and naming it A4 - Insufficient Access Control

	2. Naming A9 - Having third-party vulnerable components


On ۱ اسفند ۱۳۹۱, at ۰:۳۵, "S.Dalili" <soroush.dalili at owasp.org> wrote:

> Hello everyone,
> First of all, thank you very much for providing us with the new version of this document. I saw this topic via the OWASP feed today.
> I had a quick look at the titles of OWASP top 10 – 2013, and now I have got a comment/question (this may have already been discussed but it may add another value to the original thought).
> I think OWASP Top 10 needs to be clear for everyone i.e. managers, developers, and security researchers. We know other standards such as PCI and also security reports templates will use OWASP top 10 categorization. Therefore, it needs to be very clear and we should be able to categorize the risks/issues without any confusion. However, any overlap can make this harder.
> I think, “A4- Insecure Direct Object References” has a major overlap with “A7 – Missing Function Level Access Control”. Let me explain why I think like that:
> Please look at “A4 - Example Attack Scenario” section. If I find out that I can see other people’s data by changing the account number, is it “A4 - direct object reference” issue, “A7 – Access control issue” issue, or both? I think it is both when many web applications such as Bugzilla are using access controls and others are using indirect object references.
> I think we need to be more specific about the titles here.
> Another controversial topic is “Using Known Vulnerable Components” – Instead of saying using known or unknown vulnerable components, I think it is better to say “Having 3rd Party Vulnerable/Weak Components”; which means: the component that has been used is vulnerable now despite the fact that it has a known or unknown issue (vulnerability has been found during the pentest or it has already been reported as a CVE).
> These are only my opinions and I hope it helps the OWASP top 10 development.
> Many Thanks,
> Soroush
> PS1: I did not want to discuss the confusion of “vulnerabilities” vs “attacks” vs “risks” in OWASP Top 10 as it is already a known controversial topic.
> PS2: I will share it via Twitter so more people can be involved.
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130219/506b4ab8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130219/506b4ab8/attachment-0001.bin>

More information about the Owasp-topten mailing list