[Owasp-topten] Risks vs Vulns

Abbas Naderi abbas.naderi at owasp.org
Wed Feb 20 13:27:01 UTC 2013


Well in modern systems nobody cares much for hiding some reference, when an authorization mechanism is forced to check for its accessibility. If you can't cross a door, why hide it behind a curtain!?

A role based access control is the solution to both problems, and one that is forced on all system operations not just some of them. Thats why it needs merging. (its also a NIST standard)
-Abbas
On ۲ اسفند ۱۳۹۱, at ۱۱:۵۲, Erwin Huber <erwin.huber at ergon.ch> wrote:

> I see a plus in *not* merging A4 and A7.
> They may look similar from an attackers perspective, but they are different problems which needs to be fixed in specific ways.
> 
> A4 is the "vertical" problem. A user needs access to one object but mus not have access to another which does not belong to him.
> A7 is the "horizontal" problem. A user of that kind (having this role) must not have access to this functionality.
> 
> The fixes in code are very different.
> A7 requires a role concept implemented not only for displaying - but also for each function access.
> Roles don't help in A4. One resolution is not to give a direct data handle to the client - the other is to check access to specific data objects.
> 
> A4 and A7 are distinct programming problems.
> 
> I am not happy to see the trend in T10 to merge various different themes into one more generic item. Doing that we will end up with a handful of issues describing the whole universe of security risks (for being sarcastic I could propose to have just two topics: "operational security problem" and "programmatic flaws"). A programmer, an administrator or a CIO will not be able to learn easily from the description what to do and what to omit. I vote for being more specific to a problem - with an exact wording that does not include different types of vulnerabilities. Bringing higher awareness of specific problems. Of course, doing that T10 will cover less of the security landscape but helping more in the daily life.
> 
> An example of a highly generic issue - not helping in everydays operation - is A5: "Security misconfiguration". This is a collection of various types of problems which do not necessarily belong together. Is there a relationship between "directory listing" and "choosing a good architecture"? What is the connection form "showing stack traces" to "have up-to-date libraries"? 
> 
> So I vote for being more specific and not mixing things together. In this case: leave A4 and A7 as two separate issues.
> 
> erwin
> 
> From: "Abbas Naderi" <abbas.naderi at owasp.org>
> To: "Ryan Barnett" <ryan.barnett at owasp.org>
> Cc: owasp-topten at lists.owasp.org
> Sent: Tuesday, February 19, 2013 5:13:11 PM
> Subject: Re: [Owasp-topten] Risks vs Vulns
> 
> I think after we merge A4 and A7, there would be a slot left for another vuln. Lets discuss DOS kinds for that spot.
> -Abbas
> On ۱ اسفند ۱۳۹۱, at ۱۸:۴۲, Ryan Barnett <ryan.barnett at owasp.org> wrote:
> 
> Related to App-layer DDoS - http://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/
> 
> Cyber criminals are leveraging DoS attacks to either disguise their attacks or as a force multiplier to aid in their attacks.
> 
> -Ryan
> 
> From: Ryan Barnett <ryan.barnett at owasp.org>
> Date: Sunday, February 17, 2013 11:55 AM
> To: Abbas Naderi <abbas.naderi at owasp.org>
> Cc: Tom Brennan <tomb at owasp.org>, "owasp-topten at lists.owasp.org" <owasp-topten at lists.owasp.org>
> Subject: Re: [Owasp-topten] Risks vs Vulns
> 
> Appplication DoS was already in the Top 10 2004 - https://www.owasp.org/index.php/A9_2004_Application_Denial_of_Service.  We can use that as a base for discussion.  The key point I would raise with regard to "Am I vulnerable…" and references are the Slow Request/Read attack scenarios employed by a large number of attack tools today that weren't prevalent back in 2004.  From a "How do I prevent DoS" perspective, I would definitey reference the UserTrend/SystemTrend categories of AppSensor Detection Points - 
> 
> https://www.owasp.org/index.php/AppSensor_DetectionPoints#UserTrendException.
> https://www.owasp.org/index.php/AppSensor_DetectionPoints#SystemTrendException
> 
> -Ryan
> 
> From: Abbas Naderi <abbas.naderi at owasp.org>
> Date: Sunday, February 17, 2013 11:35 AM
> To: Ryan Barnett <ryan.barnett at owasp.org>
> Cc: Tom Brennan <tomb at owasp.org>, "owasp-topten at lists.owasp.org" <owasp-topten at lists.owasp.org>
> Subject: Re: [Owasp-topten] Risks vs Vulns
> 
> Hi Ryan,
> I partially agree with you on this. I suggest you prepare something similar to As in the document with DOS, then we can talk about including it in.
> Thanks
> -Abbas
> On ۲۹ بهمن ۱۳۹۱, at ۱۹:۰۸, Ryan Barnett <ryan.barnett at owasp.org> wrote:
> 
> Before I dive into my sales pitch for why I think DoS should be in the Top 10, I thought I would take the opposite approach and ask – why is DoS not in the Top 10?
> 
> I understand that Risk ratings factor in different potential impacts (and data leakages can certainly have a big impact if customer data is stolen) but we also must take a look at what attacks are actively being used.  The Web Hacking Incident Database (WHID) helps provide data for attack likelihood/frequency as we track real world compromises rather than vulnerability prevalence. Here is a mapping of past Top 10 items to WHID entries -
> https://www.owasp.org/index.php/OWASP_Top_10/Mapping_to_WHID
> 
> Here is a listing of top Outcomes for 2012 and Downtime is #1 -
> https://www.google.com/fusiontables/DataSource?snapid=S886801Zyui
> 
> Here is a listing of all Downtime incidents -
> https://www.google.com/fusiontables/DataSource?snapid=S886617Awnp
> 
> Based on this info, App/layer DoS had got to be in the top 10.  Perhaps something to consider is WHO are the consumers of the Top 10?  Developers?  Many of the app layer DoS attacks target web server infrastructure components and can not be fixed by developers, however this does not dimish the negative impact to the web site. Another thing to consider is the whole mass assignment discussion as the end result is typically app DoS.
> 
> In WHID we provide different VIEWS of the data depending on the reader's perspective -
> 
> Attack View - is for the Breaker community
> Weakness View - is for the Builder community
> Outcome View - is for Business owners. 
> 
> Perhaps we can have similar views for the Top 10.
> 
> -Ryan
> 
> From: Tom Brennan <tomb at owasp.org>
> Date: Sunday, February 17, 2013 9:23 AM
> To: "owasp-topten at lists.owasp.org" <owasp-topten at lists.owasp.org>
> Subject: [Owasp-topten] Risks vs Vulns
> 
> If the T10 is based on top risks not top vulns what web app does not have the availability risk of layer 7 application denial of service - many would agree is simply by design.
> 
> Based on a active discussion this weekend at Shmoocon in washington dc there was strong group of defenders that would lobby to call out this risk that has shown itself almost daily around the world since 2010.  Another point was since there are many classes of attack raising visibility for the T10 should also incorporate a matrix similar tohttp://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20Reference%20View to proactively answer the how does this compare that is a FAQ to additionally build awareness (mission) and I suspect that since many community members are on this list, that is a separate consensus request
> 
> Finally a additional source of reference for data call managed by Ryan Barnett to be included, cross referencedhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database#RealTimeStatistics also provide 
> 
> OWASP Tool stable, for the community with 33k downloads
> https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool and although many variants including SSL half connects and other combinations if it dies not fall as a Top 10 risk where would it fall on a Pentest centric project. Additionally testing guide references ihttps://www.owasp.org/index.php/Testing_for_Denial_of_Service 
> 
> What entity does not share this concern that has something to serve up. 
> 
> Discussion.
> 
> 
> _______________________________________________ Owasp-topten mailing list Owasp-topten at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-topten
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
> 
> 
> 
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130220/e57caaa7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130220/e57caaa7/attachment-0001.bin>


More information about the Owasp-topten mailing list