[Owasp-topten] A9 - No Support within Statistics Sampled

Dave Wichers dave.wichers at owasp.org
Tue May 28 14:50:21 UTC 2013


We've been concerned about this issue since soon after the 2007 Top 10 was
released. In 2007, the Top 10 project added CSRF to the Top 10 even though
it was only ranked 32 on MITRE's list of most commonly reported flaws. We
knew it was a significantly underreported and under looked for issue so we
used our best judgment and put it in at #5. In 2010 it was actually #5 based
on the actual reported stats so our best guess was pretty reasonable. We are
simply doing the same thing again for another underreported and under looked
for issue. We believe it deserves more focus and emphasis than what was done
in the 2010 version of the Top 10.

In 2010, we specifically highlighted this concern in the 2010 Top 10 within
the existing A6-Security Misconfiguration

On page: 

It says:  https://www.owasp.org/index.php/Top_10_2010-A6 

Am I Vulnerable To 'Security Misconfiguration'?
Have you performed the proper security hardening across the entire
application stack?

Do you have a process for keeping all your software up to date? This
includes the OS, Web/App Server, DBMS, applications, and all code libraries.

How Do I prevent 'Security Misconfiguration'?
The primary recommendations are to establish all of the following:


2. A process for keeping abreast of and deploying all new software updates
and patches in a timely manner to each deployed environment. This needs to
include all code libraries as well, which are frequently overlooked.

Example Scenarios
Scenario #1: Your application relies on a powerful framework like Struts or
Spring. XSS flaws are found in these framework components you rely on. An
update is released to fix these flaws but you don't update your libraries.
Until you do, attackers can easily find and exploit these flaws in your app.

So all we are doing for 2013 is taking this same guidance and
recommendations for insecure libraries and pulling it out into a distinct
Top 10 item to provide more emphasis on it so it gets more attention, which
we think it deserves. And to make room we combined the two Crypto related
items rather than drop something off the list entirely.


p.s. You separately have complained about some kind of business relationship
between Aspect Security and Sonatype which serves as motivation for us doing
this. We simply wrote a joint paper with them because they provided us the
hard statistics that we didn't have access to. We for years have felt that
this is a significant concern, but Sonatype's data allowed us to back up our
professional opinion with some actual facts. We don't have any kind of
business partnership with Sonatype.

-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Christian
Sent: Tuesday, May 28, 2013 12:20 AM
To: owasp-topten at lists.owasp.org
Subject: [Owasp-topten] A9 - No Support within Statistics Sampled

Dave and Jeff,

I have received a few direct e-mail related to
which I will attempt to address now.

Based on http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html
I am unaware if either HP or Trustwave produced statistics relevant to
A9 or other "supply chain" issues since I have not reviewed their samples
(as I had to register).  I would welcome both of them to provide the
relevant extract for consideration?

make any reference to "supply chain" issues. Again, I would welcome both
parties to correct this if my analysis is incorrect?

Therefore (provided the above assumptions are correct), the only source of
statistics related to the "supply chain" is Vercode's "State of Software
Security - Volume 4".  Please note the intent of these statistics is not
strictly scientific, rather Veracode's target audience and associated
marketing are those seeking "Independent security verification of
third-party software ..." (as quoted on p7).

The relevant extracts based which do not support A9 are:

p9 - "As the reliance on third-party software and components has grown, so
has the awareness that security weaknesses embedded in those applications
become a liability for the enterprise that is accepting that software. This
recognition transcends the security community as you see calls for this
level of due diligence from leaders in the sourcing and vendor management
area as well. In this report we examined which industry segments are heeding
this call to action and engaging in this process with their third-party
software suppliers. We found enterprises representing at least eight
different industry segments-Software, Finance, Aerospace & Defense,
Government, Entertainment, Telecommunications, Insurance, and Oil & Gas.
While Software and Finance account for the majority of the dataset,
companies across the spectrum are starting to hold their software suppliers

p23 - "Requestor Type by Industry" Pie Chart i.e. Software/IT
Services(54%) and then Finance (39%), the remaining seven percent is spread
across Aerospace & Defense, Government, Entertainment, Telecommunications,
Insurance, Oil & Gas and other

It is also worth noting too that the "State of Software Security - Volume 4"
was published in December 2011, therefore the same target audience of the
OWASP Top Ten has known about A9 already for over a year and a half.
Furthermore, if A9 was an emerging risk then should have been incorporated
in the April 2010 Release of the OWASP Top Ten three years ago then (i.e.
1.5 years before the publication of Veracode "State of Software Security -
Volume 4").

Christian Heinrich

Owasp-topten mailing list
Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130528/053577c1/attachment-0001.html>

More information about the Owasp-topten mailing list