[Owasp-topten] [Owasp-bayarea] Top Ten 2016 (time for a refresh)

Jeff Williams jeff.williams at owasp.org
Sun Feb 7 23:19:38 UTC 2016


I like the idea of including BB data.  But remember that BB programs have their own set of biases.  What is a good investment of time for a BB payout  may not match the types of flaws your adversaries go after.

--Jeff


> On Feb 4, 2016, at 3:54 PM, Dave Wichers <dave.wichers at owasp.org> wrote:
> 
> Well. That depends on who does the assessment and how they vett their findings. Aspect reports don't contain any false positives, because they all are found by humans, not just output of tools.
>  
> But that said, I think your point is valid. If a BB program wants to submit their findings to the OWASP Top 10 open call, that would be great.
>  
> -Dave
> 
>> On Thu, Feb 4, 2016 at 2:59 PM, Blake <blake at hotwan.com> wrote:
>> Yes, only relevant CVEs that pertain to top web app stuff. We got several years of good data on that.  
>> 
>> Bug bounty programs have increasing relevance nowadays. Crowdsourced hacking from all over the world find bugs in people’s websites 24/7/365 and they get paid either thru an internal program like PayPal's or an external company like Bug Crowd, Hackerone, etc.
>> 
>> I feel Bug Bounties are more legitimate and representative of a top 10 than some web app security company submitting their anonymized findings of their previous assessments.  
>> 
>> Bug bounty findings are validated findings hence a tangible payout.
>> 
>> Security company assessments stats are skewed with the inclusion of a bunch of potential false positives introduced as vulns.  These false positives are only later discovered by the receiving clients and or other 3rd party auditors who review the work of the previous Security company assessment.   This delta of error is rarely conveyed back to the security company that provided the original assessment so their stats.
>> 
>>  Say for example, 
>> 
>> A company may say, "we found 1,000 different cross-site scripting bugs on a website" when in fact there maybe only 2 after someone else outside the assessment validated those findings. 
>> 
>> Hope this makes sense.
>> 
>> -Blake Turrentine
>> HotWAN
>> 
>> 
>> From: Dave Wichers <dave.wichers at owasp.org>
>> Date: Thursday, February 4, 2016 at 10:45 AM
>> To: docs <blake at electronicrealm.com>
>> Cc: docs <blake at hotwan.com>, <Owasp-bayarea at lists.owasp.org>, 박형근 <mirrk1 at gmail.com>, OWASP TopTen <Owasp-topten at lists.owasp.org>
>> 
>> Subject: Re: [Owasp-bayarea] [Owasp-topten] Top Ten 2016 (time for a refresh)
>> 
>> Each Top 10 item refers to the relevant CVEs if that's what you mean. I definately plan to reference Dependency Check in the new Top 10.
>>  
>> Not sure how bug bounty programs would relate to the Top 10...
>>  
>> -Dave
>> 
>>> On Wed, Feb 3, 2016 at 10:34 AM, Blake <blake at electronicrealm.com> wrote:
>>> Thank you Dave.
>>> 
>>> Have we incorporated CVE’s in the past?  Not necessarily under the general category " A9 - Using Components with Known Vulnerabilities “ but make it more specific as to the type of vulns found in them. (Jeremy Long’s Dependency Checktool comes to mind.)
>>> 
>>> Also, I’m hoping we can rope in the bug bounty folks / companies.  Jason Haddix, a great supporter of OWASP, may give us some guidance.
>>> 
>>> Furthermore, I’ve worked with a few companies that have internal BB that may help out.
>>> 
>>> -Blake Turrentine
>>> HotWAN
>>> 
>>> From: <owasp-bayarea-bounces at lists.owasp.org> on behalf of Dave Wichers <dave.wichers at owasp.org>
>>> Date: Wednesday, February 3, 2016 at 6:44 AM
>>> To: docs <blake at hotwan.com>
>>> Cc: <Owasp-bayarea at lists.owasp.org>, 박형근 <mirrk1 at gmail.com>, OWASP TopTen <Owasp-topten at lists.owasp.org>
>>> Subject: Re: [Owasp-bayarea] [Owasp-topten] Top Ten 2016 (time for a refresh)
>>> 
>>> I need to issue a data call. I plan to do that by end of February and make it public, whereas previously I simply asked for specific organizations to contribute. I'm going to provide a template of what the input needs to look like and then anyone who wants to can contribute there data.
>>> 
>>> We'll then have to sort through it all and decide what the next Top 10 items are going to be based on this input and other trends we are seeing in industry.
>>>  
>>> At that point, it would be good to discuss your ideas around including other material like you suggest.
>>>  
>>> -Dave
>>> 
>>>> On Tue, Feb 2, 2016 at 12:02 AM, Blake <blake at hotwan.com> wrote:
>>>> Awesome for the help!
>>>> 
>>>> 박형근, I am trying to see what’s been done so far -if anything for updating Top 10 for 2016.
>>>> 
>>>> Trying to reach out Dave Wichers, the former project lead of OWASP Top 10 -2013 to see what’s going on.
>>>> 
>>>> I have some ideas on representing Web Services and APIs (OAuth, etc) a little better in the mix as well as augmenting vulnerability prevalence data to support the new rankings.
>>>> 
>>>> -Blake Turrentine
>>>> 
>>>> From: 박형근 <mirrk1 at gmail.com>
>>>> Date: Monday, February 1, 2016 at 8:06 PM
>>>> To: docs <blake at hotwan.com>
>>>> Subject: Re: [Owasp-topten] Top Ten 2016
>>>> 
>>>> Hello, Blake. 
>>>> 
>>>> Are you in the development of Top Ten 2016?
>>>> What is the time frame?
>>>> 
>>>> I will support you with Korean security experts. 
>>>> 
>>>> Thanks a lot. 
>>>> Best regards. 
>>>> 
>>>> 2016-02-02 3:44 GMT+09:00 Blake <blake at hotwan.com>:
>>>>> Hi,
>>>>> 
>>>>> Checking in to see where we are at with the development of Top Ten 2016.
>>>>> 
>>>>> Looking to help out.
>>>>> 
>>>>> Cheers,
>>>>> 
>>>>> Blake Turrentine
>>>>> 
>>>>> _______________________________________________
>>>>> Owasp-topten mailing list
>>>>> Owasp-topten at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Park, Hyungkeun, CGEIT, CISSP, CISA, IBM Security Technical Leader, SWG, IBM Korea.
>>>> TEL. 82-2-3781-7963, FAX. 82-31-213-8283, HP 010-4995-7963, E-mail : phk at kr.ibm.com
>>>> Office Address :  16th Fl., Military Mutual Aid Association Bldg 467-12, Dogok-dong, Gangnam-gu, Seoul, Korea (Zip Code : 135-270)
>>>> Twitter: http://twitter.com/securityinsight
>>>> Facebook: http://www.facebook.com/hyungkeun.park
>>>> Web Site: http://www.securityplus.or.kr
>>>> 
>>>> _______________________________________________
>>>> Owasp-topten mailing list
>>>> Owasp-topten at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>> 
>>> _______________________________________________ Owasp-bayarea mailing list Owasp-bayarea at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-bayarea
> 
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20160207/8fe984f4/attachment.html>


More information about the Owasp-topten mailing list