[Owasp-topten] A9 - Disputed Risk

Abbas Naderi abbas.naderi at owasp.org
Sun May 19 04:58:45 UTC 2013

Good point, as was discussed many times in the past.

On ۲۹ اردیبهشت ۱۳۹۲, at ۷:۲۹, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:

> Jeff and Dave,
> I have just reviewed the application of
> https://www.owasp.org/index.php/Top_10_2013-Risk to
> https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities
> and concluded that the actual context based on the definition of A9 is
> *not* a "business" risk to the developer, rather to the vendor of the
> insecure software component due to liability of brand damage.
> To put this another way the developer suffers little brand damage as
> their public relations would be focused on shifting the blame to the
> vendor of the insecure software component in order to divert the brand
> damage from their (developer) brand to that of the vendor's (brand).
> This also accounts for when their (vendor) license specifies that the
> vendor (of the insecure software component) is not liable for any
> damages.
> However, if the developer publishes a faulty patch for the
> vulnerability identified in the insecure software component and pushes
> this upstream to the vendor and is then the developer is found to be
> at fault then this is the actual business risk to the developer e.g.
> http://blog.trailofbits.com/2008/07/21/crippling-crypto-the-debian-openssl-debacle/
> Based on https://lists.owasp.org/pipermail/owasp-leaders/2010-April/002985.html
> I believe you would concur that this context is the actual "business"
> risk too.
> -- 
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130519/db03754d/attachment.bin>

More information about the Owasp-topten mailing list