[Owasp-topten] My comments: OWASP Top 10 - 2013 rc1

Jeremiah Grossman jeremiah at whitehatsec.com
Fri Feb 22 02:15:16 UTC 2013


In no particular order…


1) Found the following two sentences, one says "eleventh" and the other "tenth," this should be reconciled.

"This release of the OWASP Top 10 marks this project’s eleventh year of raising awareness of the importance of application security risks."

"This release of the OWASP Top 10 marks this project’s tenth year of raising awareness of the importance of application security risks."


2) This sentence implies that WhiteHat falls into the "tool" vendor category, but we're really not, nor are we consultants. We're SaaS, and I'd suspect  Veracode might have the same issue as well.

"The OWASP Top 10 is based on risk data from 8 firms that specialize in application security, including 4 consulting companies and 4 tool vendors (2 static and 2 dynamic)."

I'd recommend nixing the last part entirely, as it wouldn't seem to matter what types of appsec vendors we all are in this context anyway. No need for confusion For example...

"The OWASP Top 10 is based on risk data from 8 firms that specialize in application security."




3) I know I risk holy war with this comment, but IMHO, the following statements are subjective. And to my mind unnecessarily pit the two different software security testing methodologies against each other.

"Reviewing the code is the strongest way to verify whether an application is secure. Testing can only prove that an application is insecure."

This is especially confusing because earlier in the document we find this more reasonable suggestion:

"OWASP recommends a combination of security code review and application penetration testing whenever possible, as that allows you to leverage the strengths of both techniques, and the two approaches complement each other."

Perhaps instead some comments are in order about what these testing methodology are best suited to measure / find, what circumstances they are best used, and when. Often one can and should be used over another in certain circumstances, while bother is others. Additional thoughts:

Black Box vs White Box. You are doing it wrong.
http://jeremiahgrossman.blogspot.com/2009/10/black-box-vs-white-box-you-are-doing-it.html


2) If this were only the case, as compliance does not really allow organizations to move beyond it.
"We encourage you to use the Top 10 to get your organization started with application security."



4) The entire document emphasizes and encourages a process driven approach to appsec throughout the pages, particularly with ASVS being recommended all over. Then there's this statement, which seems to contradict:

"These programs come in all shapes and sizes, and you should avoid attempting to do everything in a process model. Instead, leverage your existing organization’s strengths and measure what works for you."

Am I misunderstanding something. Is ASVS not a process?


5) " • Broken Authentication and Session Management moved up in prevalence based on our data set,. Probably because this area is being looked at harder, not because issues are actually more prevalent. This caused Risks A2 and A3 to switch places."

I'd like to get additional insight into what "data set" and thought process when into this decision. Not saying that it's "wrong" yet, just wanna know why someone thinks so.



I might have more later, first run through. I'm thinking about how best to articular how the OWASP Top 10 is both used and abused, despite all of our best efforts.


Regards,


Jeremiah-


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130222/037eff51/attachment.html>


More information about the Owasp-topten mailing list