[Owasp-topten] Risks vs Vulns

Ryan Barnett ryan.barnett at owasp.org
Tue Feb 19 15:12:17 UTC 2013


Related to App-layer DDoS -
http://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist
/

Cyber criminals are leveraging DoS attacks to either disguise their attacks
or as a force multiplier to aid in their attacks.

-Ryan

From:  Ryan Barnett <ryan.barnett at owasp.org>
Date:  Sunday, February 17, 2013 11:55 AM
To:  Abbas Naderi <abbas.naderi at owasp.org>
Cc:  Tom Brennan <tomb at owasp.org>, "owasp-topten at lists.owasp.org"
<owasp-topten at lists.owasp.org>
Subject:  Re: [Owasp-topten] Risks vs Vulns

> Appplication DoS was already in the Top 10 2004 -
> https://www.owasp.org/index.php/A9_2004_Application_Denial_of_Service.  We can
> use that as a base for discussion.  The key point I would raise with regard to
> "Am I vulnerable…" and references are the Slow Request/Read attack scenarios
> employed by a large number of attack tools today that weren't prevalent back
> in 2004.  From a "How do I prevent DoS" perspective, I would definitey
> reference the UserTrend/SystemTrend categories of AppSensor Detection Points -
> 
> https://www.owasp.org/index.php/AppSensor_DetectionPoints#UserTrendException.
> https://www.owasp.org/index.php/AppSensor_DetectionPoints#SystemTrendException
> 
> -Ryan
> 
> From:  Abbas Naderi <abbas.naderi at owasp.org>
> Date:  Sunday, February 17, 2013 11:35 AM
> To:  Ryan Barnett <ryan.barnett at owasp.org>
> Cc:  Tom Brennan <tomb at owasp.org>, "owasp-topten at lists.owasp.org"
> <owasp-topten at lists.owasp.org>
> Subject:  Re: [Owasp-topten] Risks vs Vulns
> 
>> Hi Ryan,
>> I partially agree with you on this. I suggest you prepare something similar
>> to As in the document with DOS, then we can talk about including it in.
>> Thanks
>> -Abbas
>> On ۲۹ بهمن ۱۳۹۱, at ۱۹:۰۸, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>> 
>>> Before I dive into my sales pitch for why I think DoS should be in the Top
>>> 10, I thought I would take the opposite approach and ask – why is DoS not in
>>> the Top 10?
>>> 
>>> I understand that Risk ratings factor in different potential impacts (and
>>> data leakages can certainly have a big impact if customer data is stolen)
>>> but we also must take a look at what attacks are actively being used.  The
>>> Web Hacking Incident Database (WHID) helps provide data for attack
>>> likelihood/frequency as we track real world compromises rather than
>>> vulnerability prevalence. Here is a mapping of past Top 10 items to WHID
>>> entries -
>>> https://www.owasp.org/index.php/OWASP_Top_10/Mapping_to_WHID
>>> 
>>> Here is a listing of top Outcomes for 2012 and Downtime is #1 -
>>> https://www.google.com/fusiontables/DataSource?snapid=S886801Zyui
>>> 
>>> Here is a listing of all Downtime incidents -
>>> https://www.google.com/fusiontables/DataSource?snapid=S886617Awnp
>>> 
>>> Based on this info, App/layer DoS had got to be in the top 10.  Perhaps
>>> something to consider is WHO are the consumers of the Top 10?  Developers?
>>> Many of the app layer DoS attacks target web server infrastructure
>>> components and can not be fixed by developers, however this does not dimish
>>> the negative impact to the web site. Another thing to consider is the whole
>>> mass assignment discussion as the end result is typically app DoS.
>>> 
>>> In WHID we provide different VIEWS of the data depending on the reader's
>>> perspective -
>>> 
>>> Attack View - is for the Breaker community
>>> Weakness View - is for the Builder community
>>> Outcome View - is for Business owners.
>>> 
>>> Perhaps we can have similar views for the Top 10.
>>> 
>>> -Ryan
>>> 
>>> From:  Tom Brennan <tomb at owasp.org>
>>> Date:  Sunday, February 17, 2013 9:23 AM
>>> To:  "owasp-topten at lists.owasp.org" <owasp-topten at lists.owasp.org>
>>> Subject:  [Owasp-topten] Risks vs Vulns
>>> 
>>>> If the T10 is based on top risks not top vulns what web app does not have
>>>> the availability risk of layer 7 application denial of service - many would
>>>> agree is simply by design.
>>>> 
>>>> Based on a active discussion this weekend at Shmoocon in washington dc
>>>> there was strong group of defenders that would lobby to call out this risk
>>>> that has shown itself almost daily around the world since 2010.  Another
>>>> point was since there are many classes of attack raising visibility for the
>>>> T10 should also incorporate a matrix similar to
>>>> http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Tax
>>>> onomy%20Cross%20Reference%20View to proactively answer the how does this
>>>> compare that is a FAQ to additionally build awareness (mission) and I
>>>> suspect that since many community members are on this list, that is a
>>>> separate consensus request
>>>> 
>>>> Finally a additional source of reference for data call managed by Ryan
>>>> Barnett to be included, cross referenced
>>>> http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
>>>> #RealTimeStatistics also provide
>>>> 
>>>> OWASP Tool stable, for the community with 33k downloads
>>>> https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool and although many
>>>> variants including SSL half connects and other combinations if it dies not
>>>> fall as a Top 10 risk where would it fall on a Pentest centric project.
>>>> Additionally testing guide references
>>>> ihttps://www.owasp.org/index.php/Testing_for_Denial_of_Service
>>>> 
>>>> What entity does not share this concern that has something to serve up.
>>>> 
>>>> Discussion.
>>>> 
>>>> 
>>>> _______________________________________________ Owasp-topten mailing list
>>>> Owasp-topten at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-
>>>> topten
>>> _______________________________________________
>>> Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130219/94efa82a/attachment-0001.html>


More information about the Owasp-topten mailing list