[Owasp-topten] A9, again

Neil Smithline neil.smithline at owasp.org
Tue Feb 19 17:18:19 UTC 2013


Based on the highly non-scientific results of quickly scanning through my
T10 emails, I think that the most discussed issue is A9. Furthermore, I
think it is the only one that people have suggested fundamental changes to.

Regarding the T9 comments:
- Over half of them have suggested a name change.
- Several have suggested renaming
- Several have suggested expanding it to include platform level entities
such as OSs and programming languages,
- At least two, Steven van der Baan's and mine, have suggested that A9
doesn't belong in the T10 at all.

The problem is that everyone seems to agrees that A9 is a substantial risk.

I wonder if there is a halfway point between A9 being in the T10 and not
being in the T10. Perhaps the Additional Risks section could be promoted to
a page of its own that adds more detail for several of the additional
risks. A9 could then be moved to there. This would knock it out of the T10
while keeping it in the T10 document.

This would also allow expanded discussion of some of the other additional
risks that may not be worthy of being in the T10 but worthy of being in the
document. For example, discussing mitigation for DOS and DDOS seems
particularly important with the recent rise of hactivists. There is no way
that DDOS belongs in the T10 but it seems worthy of more than a single link
at the bottom of some page in the back of the T10 document.

To reiterate my objections to A9, I believe that it is unique because it is
a weakness that it is the only 2013 T10 and, perhaps, the only T10 ever,
that:

   - Cannot be detected by manual or automated code reviews.
   - Is a generic programming problem and not a web-specific problem. If I
   recall correctly, this litmus test caused risks such as Buffer Overflow to
   be left to the CWE-25.
   - Cannot be managed by T10 target audiences. It is primarily not a
   developer, QA, CM, installation service, configuration, etc... concern.
   - *Is of greatest relevance after the product has been deployed*.

Neil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130219/f0e43772/attachment.html>


More information about the Owasp-topten mailing list