[Owasp-topten] A9 - No Support within Statistics Sampled

Christian Heinrich christian.heinrich at cmlh.id.au
Thu May 30 02:52:54 UTC 2013


The awareness related to the procurement of Insecure Software
Components has been addressed by Aspect Security under the banner of
the OWASP Legal Project since 2006.

CSRF was considered under a different context in 2007 (i.e.
statistical).  Furthermore, I'll assume that since CSRF was included
in the OWASP Top Ten 2007 Release the existence of CSRF would also be
tested for during an audit and therefore CSRF ranking with the MITRE
statistics would have also subsequently increased.  Please let me know
if that is incorrect?

Aspect Security also removed "Insecure Configuration Management" from
the  OWASP Top Ten in 2007 too.

I'll assume that by the copyright notice that Sonatype have existed since 2008?

The only "attention" provided by A9 is to the products and services of
Sonatype and Aspect Security based on the examples and references,

In relation to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3451,
@redhat are proactive in their approach based on
http://krvw.com/pipermail/sc-l/2012/002838.html i.e.
https://github.com/gcmurphy/enforce-victims-rule and
so @redhat are aware and are proactively addressing this issue.

Since http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/
references both Aspect Security and Sonatype I would expect their to
be a number of other examples outside of these two companies?  Also of
note is this comment to the article "The discovery by Aspect Security
was found in January 2013, but the fix that SpringSource published was
made available back in 2011 when this was first discovered ...".

Comments such as the above and others like
indicate that the Sonatype statistics are unscientific and are bais to
their marketing effort.

I have already addressed the inclusion of both the references from
Aspect Security and Sonatype previously but
https://github.com/jeremylong/DependencyCheck is also mentioned within
the SC-L Thread yet not within A9.

There is a clear commercial relationship between Sonatype and Aspect
Security and your ulterior motive for A9 is to promote Sonatype's
product and services otherwise you would have incorporated other
sources of fact.

On Wed, May 29, 2013 at 12:50 AM, Dave Wichers <dave.wichers at owasp.org> wrote:
> Christian,
> We've been concerned about this issue since soon after the 2007 Top 10 was
> released. In 2007, the Top 10 project added CSRF to the Top 10 even though
> it was only ranked 32 on MITRE's list of most commonly reported flaws. We
> knew it was a significantly underreported and under looked for issue so we
> used our best judgment and put it in at #5. In 2010 it was actually #5 based
> on the actual reported stats so our best guess was pretty reasonable. We are
> simply doing the same thing again for another underreported and under looked
> for issue. We believe it deserves more focus and emphasis than what was done
> in the 2010 version of the Top 10.
> In 2010, we specifically highlighted this concern in the 2010 Top 10 within
> the existing A6-Security Misconfiguration
> On page:
> It says:  https://www.owasp.org/index.php/Top_10_2010-A6
> Am I Vulnerable To 'Security Misconfiguration'?
> Have you performed the proper security hardening across the entire
> application stack?
> Do you have a process for keeping all your software up to date? This
> includes the OS, Web/App Server, DBMS, applications, and all code libraries.
> How Do I prevent 'Security Misconfiguration'?
> The primary recommendations are to establish all of the following:
> ...
> 2. A process for keeping abreast of and deploying all new software updates
> and patches in a timely manner to each deployed environment. This needs to
> include all code libraries as well, which are frequently overlooked.
> Example Scenarios
> Scenario #1: Your application relies on a powerful framework like Struts or
> Spring. XSS flaws are found in these framework components you rely on. An
> update is released to fix these flaws but you don’t update your libraries.
> Until you do, attackers can easily find and exploit these flaws in your app.
> So all we are doing for 2013 is taking this same guidance and
> recommendations for insecure libraries and pulling it out into a distinct
> Top 10 item to provide more emphasis on it so it gets more attention, which
> we think it deserves. And to make room we combined the two Crypto related
> items rather than drop something off the list entirely.
> -Dave
> p.s. You separately have complained about some kind of business relationship
> between Aspect Security and Sonatype which serves as motivation for us doing
> this. We simply wrote a joint paper with them because they provided us the
> hard statistics that we didn’t have access to. We for years have felt that
> this is a significant concern, but Sonatype’s data allowed us to back up our
> professional opinion with some actual facts. We don’t have any kind of
> business partnership with Sonatype.

Christian Heinrich


More information about the Owasp-topten mailing list