[Owasp-topten] A9 - Disputed Risk

Christian Heinrich christian.heinrich at cmlh.id.au
Sun May 19 02:59:30 UTC 2013


Jeff and Dave,

I have just reviewed the application of
https://www.owasp.org/index.php/Top_10_2013-Risk to
https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities
and concluded that the actual context based on the definition of A9 is
*not* a "business" risk to the developer, rather to the vendor of the
insecure software component due to liability of brand damage.

To put this another way the developer suffers little brand damage as
their public relations would be focused on shifting the blame to the
vendor of the insecure software component in order to divert the brand
damage from their (developer) brand to that of the vendor's (brand).
This also accounts for when their (vendor) license specifies that the
vendor (of the insecure software component) is not liable for any
damages.

However, if the developer publishes a faulty patch for the
vulnerability identified in the insecure software component and pushes
this upstream to the vendor and is then the developer is found to be
at fault then this is the actual business risk to the developer e.g.
http://blog.trailofbits.com/2008/07/21/crippling-crypto-the-debian-openssl-debacle/

Based on https://lists.owasp.org/pipermail/owasp-leaders/2010-April/002985.html
I believe you would concur that this context is the actual "business"
risk too.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-topten mailing list