[Owasp-topten] A9, again

Steven van der Baan steven.van.der.Baan at owasp.org
Tue Feb 19 21:54:51 UTC 2013


On Feb 19, 2013 7:02 PM, "Abbas Naderi" <abbas.naderi at owasp.org> wrote:
>
> I think you got the wrong idea about A9.
>
>
> The current A9 meant usage of insecure third party libraries and tools in
your application, not like using insecure operating system.
> It is indeed an issue in non-web systems, but is most bold when it comes
to web.
I believe that there is something wrong with A9 when you have to explain it
multiple times. If the correct idea is not apparent from the initial read -
and the new top 10 will be used without an additional manual - it should be
or removed or rewritten completely.

>
> It can be easily detected by manual review and also can be detected by
automated tools, e.g search for PHPExcel version 2.0 and below in a project
tree.
This is information disclosure which was mentioned in the Top 10 - 2007,
and that is an vulnerability which can lead to a risk. It can also be
misdirection, as I've seen many times before (e.g. stating that you're
dealing with IIS 6, when it actually is a Apache server).

>
> It is also (IMHO) directed first towards developers, and second towards
admins. I don't see what it has to do in post deployment.
Where does it state that it is directed at somebody, I haven't seen that
anywhere in the whole document.

>
> I'm assuming that you have another description of A9 in mind, so would
you please describe it as you see to us as well?
Unfortunately no. At the moment I'd rather see it removed as it is.

> Thanks
> -Abbas
>
> On ۱ اسفند ۱۳۹۱, at ۲۲:۱۷, Neil Smithline <neil.smithline at owasp.org>
wrote:
>
>> First, thanks Abbas for mentioning the A4/A7 merge topic. There have
been several emails about that. All I did was a quick skim of the T10
emails and missed that topic.
>>
>> I don't think my feelings about A9 have to do with me being
uncomfortable with the new flavor of it. I think that the change from 2010
to 2013 is the smallest incremental change between any two consecutive
T10s. I was comfortable with all of the changes. Even the dropping of
buffer overflow between the 2004 and 2007 T10s. Something I initially
thought was a large mistake.
>>
>> The explanation for dropping buffer overflow in the 2007 T10 is:
>>>
>>> Remediation for [buffer overflow] issues is covered by the traditional
non-web application security community, such as SANS, CERT, and programming
language tool vendors
>>
>>
>> That is one of the four reasons that I feel that A9 doesn't belong in
the OWASP T10. The other three being that A9
>> Cannot be detected by manual or automated code reviews.
>> Cannot be managed by T10 target audiences. It is primarily not a
developer, QA, CM, installation service, configuration, etc... concern.
>> Is of greatest relevance after the product has been deployed.
>> If we are deciding that we will include non-web specific risks then I
think that Buffer Overflow deserves serious consideration. While it may be
less common than other risks, the ramifications of buffer overflow can be
dire.
>>
>> Please note that I like the T10's focus on web app sec. That's one of
the reasons I think that A9, like buffer overflow, doesn't belong in the
OWASP T10.
>>
>> Neil
>>
>>
>> On Tue, Feb 19, 2013 at 12:27 PM, Abbas Naderi <abbas.naderi at owasp.org>
wrote:
>>>
>>> From what I have seen, there were as same emails about merging A4 and
A7.
>>>
>>> Also keep in mind that A9 is a change, and many can't accept change
easily.
>>>
>>> In contrary, I believe that A9 belongs there as we are listing Top Ten
Web Application Security Flaws (or Vulnerabilities) and it is really one of
them (by definition). I know that it's not like the other 9, but that
doesn't mean it should not be there.
>>>
>>> -Abbas
>>>
>>> On ۱ اسفند ۱۳۹۱, at ۲۰:۴۸, Neil Smithline <neil.smithline at owasp.org>
wrote:
>>>
>>>> Based on the highly non-scientific results of quickly scanning through
my T10 emails, I think that the most discussed issue is A9. Furthermore, I
think it is the only one that people have suggested fundamental changes to.
>>>>
>>>> Regarding the T9 comments:
>>>> - Over half of them have suggested a name change.
>>>> - Several have suggested renaming
>>>> - Several have suggested expanding it to include platform level
entities such as OSs and programming languages,
>>>> - At least two, Steven van der Baan's and mine, have suggested that A9
doesn't belong in the T10 at all.
>>>>
>>>> The problem is that everyone seems to agrees that A9 is a substantial
risk.
>>>>
>>>> I wonder if there is a halfway point between A9 being in the T10 and
not being in the T10. Perhaps the Additional Risks section could be
promoted to a page of its own that adds more detail for several of the
additional risks. A9 could then be moved to there. This would knock it out
of the T10 while keeping it in the T10 document.
>>>>
>>>> This would also allow expanded discussion of some of the other
additional risks that may not be worthy of being in the T10 but worthy of
being in the document. For example, discussing mitigation for DOS and DDOS
seems particularly important with the recent rise of hactivists. There is
no way that DDOS belongs in the T10 but it seems worthy of more than a
single link at the bottom of some page in the back of the T10 document.
>>>>
>>>> To reiterate my objections to A9, I believe that it is unique because
it is a weakness that it is the only 2013 T10 and, perhaps, the only T10
ever, that:
>>>> Cannot be detected by manual or automated code reviews.
>>>> Is a generic programming problem and not a web-specific problem. If I
recall correctly, this litmus test caused risks such as Buffer Overflow to
be left to the CWE-25.
>>>> Cannot be managed by T10 target audiences. It is primarily not a
developer, QA, CM, installation service, configuration, etc... concern.
>>>> Is of greatest relevance after the product has been deployed.
>>>> Neil
>>>> _______________________________________________
>>>> Owasp-topten mailing list
>>>> Owasp-topten at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>
>>>
>>
>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130219/00dc05aa/attachment-0001.html>


More information about the Owasp-topten mailing list