[Owasp-topten] A9, again

Neil Smithline neil.smithline at owasp.org
Tue Feb 19 18:47:40 UTC 2013


First, thanks Abbas for mentioning the A4/A7 merge topic. There have been
several emails about that. All I did was a quick skim of the T10 emails and
missed that topic.

I don't think my feelings about A9 have to do with me being uncomfortable
with the new flavor of it. I think that the change from 2010 to 2013 is the
smallest incremental change between any two consecutive T10s. I was
comfortable with all of the changes. Even the dropping of buffer overflow
between the 2004 and 2007 T10s. Something I initially thought was a large
mistake.

The explanation for dropping buffer overflow in the 2007 T10 is:

Remediation for [buffer overflow] issues is covered by the traditional
non-web application security community, such as SANS, CERT, and programming
language tool vendors


That is one of the four reasons that I feel that A9 doesn't belong in the
OWASP T10. The other three being that A9

   - Cannot be detected by manual or automated code reviews.
   - Cannot be managed by T10 target audiences. It is primarily not a
   developer, QA, CM, installation service, configuration, etc... concern.
   - *Is of greatest relevance after the product has been deployed*.

If we are deciding that we will include non-web specific risks then I think
that Buffer Overflow deserves serious consideration. While it may be less
common than other risks, the ramifications of buffer overflow can be dire.

Please note that I like the T10's focus on web app sec. That's one of the
reasons I think that A9, like buffer overflow, doesn't belong in the OWASP
T10.

Neil


On Tue, Feb 19, 2013 at 12:27 PM, Abbas Naderi <abbas.naderi at owasp.org>wrote:

> From what I have seen, there were as same emails about merging A4 and A7.
>
> Also keep in mind that A9 is a change, and many can't accept change
> easily.
>
> In contrary, I believe that A9 belongs there as we are listing Top Ten Web
> Application Security Flaws (or Vulnerabilities) and it is really one of
> them (by definition). I know that it's not like the other 9, but that
> doesn't mean it should not be there.
>
> -Abbas
>
> On ۱ اسفند ۱۳۹۱, at ۲۰:۴۸, Neil Smithline <neil.smithline at owasp.org>
> wrote:
>
> Based on the highly non-scientific results of quickly scanning through my
> T10 emails, I think that the most discussed issue is A9. Furthermore, I
> think it is the only one that people have suggested fundamental changes to.
>
> Regarding the T9 comments:
> - Over half of them have suggested a name change.
> - Several have suggested renaming
> - Several have suggested expanding it to include platform level entities
> such as OSs and programming languages,
> - At least two, Steven van der Baan's and mine, have suggested that A9
> doesn't belong in the T10 at all.
>
> The problem is that everyone seems to agrees that A9 is a substantial
> risk.
>
> I wonder if there is a halfway point between A9 being in the T10 and not
> being in the T10. Perhaps the Additional Risks section could be promoted to
> a page of its own that adds more detail for several of the additional
> risks. A9 could then be moved to there. This would knock it out of the T10
> while keeping it in the T10 document.
>
> This would also allow expanded discussion of some of the other additional
> risks that may not be worthy of being in the T10 but worthy of being in the
> document. For example, discussing mitigation for DOS and DDOS seems
> particularly important with the recent rise of hactivists. There is no way
> that DDOS belongs in the T10 but it seems worthy of more than a single link
> at the bottom of some page in the back of the T10 document.
>
> To reiterate my objections to A9, I believe that it is unique because it
> is a weakness that it is the only 2013 T10 and, perhaps, the only T10 ever,
> that:
>
>    - Cannot be detected by manual or automated code reviews.
>    - Is a generic programming problem and not a web-specific problem. If
>    I recall correctly, this litmus test caused risks such as Buffer Overflow
>    to be left to the CWE-25.
>    - Cannot be managed by T10 target audiences. It is primarily not a
>    developer, QA, CM, installation service, configuration, etc... concern.
>    - *Is of greatest relevance after the product has been deployed*.
>
> Neil
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130219/353c26c1/attachment-0001.html>


More information about the Owasp-topten mailing list