[Owasp-topten] A9, again

Abbas Naderi abbas.naderi at owasp.org
Tue Feb 19 17:27:59 UTC 2013

From what I have seen, there were as same emails about merging A4 and A7.

Also keep in mind that A9 is a change, and many can't accept change easily. 

In contrary, I believe that A9 belongs there as we are listing Top Ten Web Application Security Flaws (or Vulnerabilities) and it is really one of them (by definition). I know that it's not like the other 9, but that doesn't mean it should not be there.


On ۱ اسفند ۱۳۹۱, at ۲۰:۴۸, Neil Smithline <neil.smithline at owasp.org> wrote:

> Based on the highly non-scientific results of quickly scanning through my T10 emails, I think that the most discussed issue is A9. Furthermore, I think it is the only one that people have suggested fundamental changes to.
> Regarding the T9 comments:
> - Over half of them have suggested a name change.
> - Several have suggested renaming 
> - Several have suggested expanding it to include platform level entities such as OSs and programming languages,  
> - At least two, Steven van der Baan's and mine, have suggested that A9 doesn't belong in the T10 at all. 
> The problem is that everyone seems to agrees that A9 is a substantial risk. 
> I wonder if there is a halfway point between A9 being in the T10 and not being in the T10. Perhaps the Additional Risks section could be promoted to a page of its own that adds more detail for several of the additional risks. A9 could then be moved to there. This would knock it out of the T10 while keeping it in the T10 document. 
> This would also allow expanded discussion of some of the other additional risks that may not be worthy of being in the T10 but worthy of being in the document. For example, discussing mitigation for DOS and DDOS seems particularly important with the recent rise of hactivists. There is no way that DDOS belongs in the T10 but it seems worthy of more than a single link at the bottom of some page in the back of the T10 document.
> To reiterate my objections to A9, I believe that it is unique because it is a weakness that it is the only 2013 T10 and, perhaps, the only T10 ever, that:
> Cannot be detected by manual or automated code reviews.
> Is a generic programming problem and not a web-specific problem. If I recall correctly, this litmus test caused risks such as Buffer Overflow to be left to the CWE-25.
> Cannot be managed by T10 target audiences. It is primarily not a developer, QA, CM, installation service, configuration, etc... concern. 
> Is of greatest relevance after the product has been deployed.
> Neil
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130219/8983378c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130219/8983378c/attachment.bin>

More information about the Owasp-topten mailing list