[Owasp-topten] [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

Onn Chee Wong ocwong at owasp.org
Wed Feb 20 06:06:43 UTC 2013

Hi folks,

One more feedback regarding A6, Sensitive Data Exposure.

In the "How Do I Prevent This?" section, I suggest we advise the readers to
check and inspect the outbound traffic from web apps.

Just like how the customs folks have to inspect the luggage leaving the
airports to ensure no undeclared valuables are "leaked out", we can hardly
convince the user that nothing sensitive is being exposed if we do not
check the traffic going out.

It is akin to us reassuring the users that a web app is secure without
looking at the source code.

Just my $0.02. :-)

Thank you for your attention.
Best Regards Wong Onn Chee OWASP Singapore Chapter Lead

On 16/02/2013 10:14, Wong Onn Chee wrote:

Hi Dave and team,

Well done!

Have a feedback about A9.

A9 seems to be one of the numerous ways how the actual
vulnerabilities/risks, e.g. SQL injection, XSS and etc, are being
introduced. It does not seem substantial enough to stand alone as an
individual risk.

In actual fact, the analysis mentioned this "including injection, broken
access control, XSS, etc." under the technical impact. Does that mean the
root cause is still back to the Top 3 risks in OWASP Top 10 2013?

If we are still going along this thread of thought, will a better
alternative be "Lack of source code review" or "Negligence in patching"?

Recently, after a massive hack of 17 Singapore government agency websites,
I was asked to provide my $0.02, being the local OWASP rep. The agency was
obviously using insecure and unpatched frameworks/platform for the 17
websites. However, they were not aware of this when they first deployed the
framework/platform (it was the most updated version then). But a simple
source code review would have discovered the loopholes even before the
initial deployment. Thereafter, when new security fixes were released, they
were not applied resulting in the eventual massive hack.

(PS: The Singapore government FINALLY requires the government agencies to
conduct source reviews for web apps after my shameless push for secure
codes! Hooray!)

Fair enough, the root cause(s) still relates back to the usual Top 3 risks.
Similar to the proposed A9 item. ;-)

Hope my $0.02 is of some help.

BTW, can I make reference to the new OWASP Top 10 2013 RC in next week's
OWASP AppSec Asia in Jeju?

Also, any advance plans for the ESAPI team to update the ESAPI libraries to
protect the new risks covered by OWASP Top 10 2013?

Best Regards
Onn Chee
OWASP Singapore

On 16/02/2013 00:25, Dave Wichers wrote:

OWASP Leaders!

The Release Candidate for the OWASP Top 10 – 2013 is now available!

It’s also available for Download here

A press release for this should be coming out later today.

Please forward to all the developers and development teams you know!! I’d
love to get feedback from them too, and to start immediately raising
awareness about what’s changed in this update to the Top 10. The primary
change is the addition of the new category: A9-Using Components with Known

We plan to release the final version of the OWASP Top 10 - 2013 in April or
May 2013 after a public comment period ending March 30, 2013.

Constructive comments on this OWASP Top 10 - 2013 Release Candidate should
be forwarded via email to OWASP-TopTen at lists.owasp.org. Private comments
may be sent to dave.wichers at owasp.org .  Anonymous comments are welcome.
All  non-private comments will be catalogued and published at the same time
as the final public release.  Comments recommending changes to the items
listed in the Top 10 should include a complete suggested list of 10 items,
along with a rationale for any changes. All comments should indicate the
specific relevant page and section.

Your feedback is critical to the continued success of the OWASP Top 10
Project. Thank you all for your dedication to improving the security of the
world’s software for everyone.

Thanks, Dave

OWASP Top 10 Project Lead

_______________________________________________ OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130220/b573b39a/attachment-0001.html>

More information about the Owasp-topten mailing list