[Owasp-topten] A9 - Disputed Risk

Christian Heinrich christian.heinrich at cmlh.id.au
Thu May 23 23:21:49 UTC 2013


Just as I hit send I remembered the Sonatype Security Brief mentioned
within http://krvw.com/pipermail/sc-l/2012/002786.htmltoo and that
https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project is
also quoted on the far right column of the table "Total Downloads with
Known Vulnerabilities (Logarithmic)" on page 2 of 6.

Since AntiSammy is intended to not expose a web site to end user
supplied HTML and CSS and it has known vulnerabilities according to
Aspect Security (who contributed to the Sonatype Security Brief).  In
addition, EASPI and AntiSammy are "secure" software components yet
both are actually "insecure" when considered in the context of A9.
Furthermore a majority of the (OWASP Project) leadership for ESAPI and
AntiSammy is influenced by Aspect Security itself.

Therefore A9 must be excluded from the Top Ten otherwise it would
expose OWASP to "hypocritical" attacks from the wider webappsec
community as OWASP has disregarded the intent of "risk management"
https://www.owasp.org/index.php/Top_10_2013-Note_About_Risks due to
the commercial relationship of Aspect Security and Sonatype.

On Tue, May 21, 2013 at 9:58 AM, Christian Heinrich
<christian.heinrich at cmlh.id.au> wrote:
> Dave,
> On Tue, May 21, 2013 at 2:59 AM, Dave Wichers <dave.wichers at owasp.org> wrote:
>> Christian,
>> Your analysis, in my opinion, is seriously flawed.
> If the insecure software component vendor is *not* open source i.e. COTS, their license prohibits the reverse engineering to
> the source code and therefore its vulnerabilities are unknown to the public since an NDA is required.
> I consider that PR spin would be highly effective even when the end user of the web application is also developer of the web  > application (i.e. not COTS and and/or outsourced the development of the web application)  excluding the example when
> insecure software component developed for "security" e.g.  OWASP "Enterprise *Security* API (ESAPI)" and the resulting
> thread related to http://lists.owasp.org/pipermail/owasp-leaders/2010-March/002829.html.
> Based on http://lists.owasp.org/pipermail/owasp-leaders/2010-March/002829.html and your belief that "most people would
> laugh you out of the room if you tried to do so"  then A9 should be excluded from the Top Ten otherwise OWASP would
> expose itself to "hypocritical" attacks from the wider webappsec community.

Christian Heinrich


More information about the Owasp-topten mailing list