[Owasp-topten] [Owasp-bayarea] Top Ten 2016 (time for a refresh)

Blake blake at hotwan.com
Wed Mar 2 21:37:34 UTC 2016


Hi Jeff and Dave,
Maybe we can pull stats from the new Pentagon Bug-Bounty program as well.
Here is more info:
http://www.npr.org/sections/thetwo-way/2016/03/02/468887190/u-s-announces-ha
ck-the-pentagon-bug-bounty-program



From:  Jeff Williams <jeff.williams at owasp.org>
Date:  Sunday, February 7, 2016 at 3:19 PM
To:  Dave Wichers <dave.wichers at owasp.org>
Cc:  docs <blake at hotwan.com>, docs <blake at electronicrealm.com>,
"Owasp-bayarea at lists.owasp.org" <Owasp-bayarea at lists.owasp.org>, OWASP
TopTen <Owasp-topten at lists.owasp.org>
Subject:  Re: [Owasp-topten] [Owasp-bayarea] Top Ten 2016 (time for a
refresh)

I like the idea of including BB data.  But remember that BB programs have
their own set of biases.  What is a good investment of time for a BB payout
may not match the types of flaws your adversaries go after.

--Jeff


On Feb 4, 2016, at 3:54 PM, Dave Wichers <dave.wichers at owasp.org> wrote:

> Well. That depends on who does the assessment and how they vett their
> findings. Aspect reports don't contain any false positives, because they all
> are found by humans, not just output of tools.
>  
> But that said, I think your point is valid. If a BB program wants to submit
> their findings to the OWASP Top 10 open call, that would be great.
>  
> -Dave
> 
> On Thu, Feb 4, 2016 at 2:59 PM, Blake <blake at hotwan.com> wrote:
>> Yes, only relevant CVEs that pertain to top web app stuff. We got several
>> years of good data on that.
>> 
>> Bug bounty programs have increasing relevance nowadays. Crowdsourced hacking
>> from all over the world find bugs in people’s websites 24/7/365 and they get
>> paid either thru an internal program like PayPal's or an external company
>> like Bug Crowd, Hackerone, etc.
>> 
>> I feel Bug Bounties are more legitimate and representative of a top 10 than
>> some web app security company submitting their anonymized findings of their
>> previous assessments.
>> 
>> Bug bounty findings are validated findings hence a tangible payout.
>> 
>> Security company assessments stats are skewed with the inclusion of a bunch
>> of potential false positives introduced as vulns.  These false positives are
>> only later discovered by the receiving clients and or other 3rd party
>> auditors who review the work of the previous Security company assessment.
>> This delta of error is rarely conveyed back to the security company that
>> provided the original assessment so their stats.
>> 
>>  Say for example,
>> 
>> A company may say, "we found 1,000 different cross-site scripting bugs on a
>> website" when in fact there maybe only 2 after someone else outside the
>> assessment validated those findings.
>> 
>> Hope this makes sense.
>> 
>> -Blake Turrentine
>> HotWAN
>> 
>> 
>> From:  Dave Wichers <dave.wichers at owasp.org>
>> Date:  Thursday, February 4, 2016 at 10:45 AM
>> To:  docs <blake at electronicrealm.com>
>> Cc:  docs <blake at hotwan.com>, <Owasp-bayarea at lists.owasp.org>, 박형근
>> <mirrk1 at gmail.com>, OWASP TopTen <Owasp-topten at lists.owasp.org>
>> 
>> Subject:  Re: [Owasp-bayarea] [Owasp-topten] Top Ten 2016 (time for a
>> refresh)
>> 
>> Each Top 10 item refers to the relevant CVEs if that's what you mean. I
>> definately plan to reference Dependency Check in the new Top 10.
>>  
>> Not sure how bug bounty programs would relate to the Top 10...
>>  
>> -Dave
>> 
>> On Wed, Feb 3, 2016 at 10:34 AM, Blake <blake at electronicrealm.com> wrote:
>>> Thank you Dave.
>>> 
>>> Have we incorporated CVE’s in the past?  Not necessarily under the general
>>> category " A9 - Using Components with Known Vulnerabilities
>>> <https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_
>>> Vulnerabilities>  “ but make it more specific as to the type of vulns found
>>> in them. (Jeremy Long’s Dependency Checktool comes to mind.)
>>> 
>>> Also, I’m hoping we can rope in the bug bounty folks / companies.  Jason
>>> Haddix, a great supporter of OWASP, may give us some guidance.
>>> 
>>> Furthermore, I’ve worked with a few companies that have internal BB that may
>>> help out.
>>> 
>>> -Blake Turrentine
>>> HotWAN
>>> 
>>> From:  <owasp-bayarea-bounces at lists.owasp.org> on behalf of Dave Wichers
>>> <dave.wichers at owasp.org>
>>> Date:  Wednesday, February 3, 2016 at 6:44 AM
>>> To:  docs <blake at hotwan.com>
>>> Cc:  <Owasp-bayarea at lists.owasp.org>, 박형근 <mirrk1 at gmail.com>, OWASP TopTen
>>> <Owasp-topten at lists.owasp.org>
>>> Subject:  Re: [Owasp-bayarea] [Owasp-topten] Top Ten 2016 (time for a
>>> refresh)
>>> 
>>> I need to issue a data call. I plan to do that by end of February and make
>>> it public, whereas previously I simply asked for specific organizations to
>>> contribute. I'm going to provide a template of what the input needs to look
>>> like and then anyone who wants to can contribute there data.
>>> 
>>> We'll then have to sort through it all and decide what the next Top 10 items
>>> are going to be based on this input and other trends we are seeing in
>>> industry.
>>>  
>>> At that point, it would be good to discuss your ideas around including other
>>> material like you suggest.
>>>  
>>> -Dave
>>> 
>>> On Tue, Feb 2, 2016 at 12:02 AM, Blake <blake at hotwan.com> wrote:
>>>> Awesome for the help!
>>>> 
>>>> 박형근, I am trying to see what’s been done so far -if anything for updating
>>>> Top 10 for 2016.
>>>> 
>>>> Trying to reach out Dave Wichers, the former project lead of OWASP Top 10
>>>> -2013 to see what’s going on.
>>>> 
>>>> I have some ideas on representing Web Services and APIs (OAuth, etc) a
>>>> little better in the mix as well as augmenting vulnerability prevalence
>>>> data to support the new rankings.
>>>> 
>>>> -Blake Turrentine
>>>> 
>>>> From:  박형근 <mirrk1 at gmail.com>
>>>> Date:  Monday, February 1, 2016 at 8:06 PM
>>>> To:  docs <blake at hotwan.com>
>>>> Subject:  Re: [Owasp-topten] Top Ten 2016
>>>> 
>>>> Hello, Blake. 
>>>> 
>>>> Are you in the development of Top Ten 2016?
>>>> What is the time frame?
>>>> 
>>>> I will support you with Korean security experts.
>>>> 
>>>> Thanks a lot. 
>>>> Best regards. 
>>>> 
>>>> 2016-02-02 3:44 GMT+09:00 Blake <blake at hotwan.com>:
>>>>> Hi,
>>>>> 
>>>>> Checking in to see where we are at with the development of Top Ten 2016.
>>>>> 
>>>>> Looking to help out.
>>>>> 
>>>>> Cheers,
>>>>> 
>>>>> Blake Turrentine
>>>>> 
>>>>> _______________________________________________
>>>>> Owasp-topten mailing list
>>>>> Owasp-topten at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Park, Hyungkeun, CGEIT, CISSP, CISA, IBM Security Technical Leader, SWG,
>>>> IBM Korea.
>>>> TEL. 82-2-3781-7963, FAX. 82-31-213-8283, HP 010-4995-7963, E-mail :
>>>> phk at kr.ibm.com
>>>> Office Address :  16th Fl., Military Mutual Aid Association Bldg 467-12,
>>>> Dogok-dong, Gangnam-gu, Seoul, Korea (Zip Code : 135-270)
>>>> Twitter: http://twitter.com/securityinsight
>>>> Facebook: http://www.facebook.com/hyungkeun.park
>>>> Web Site: http://www.securityplus.or.kr
>>>> 
>>>> _______________________________________________
>>>> Owasp-topten mailing list
>>>> Owasp-topten at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>> 
>>> 
>>> _______________________________________________ Owasp-bayarea mailing list
>>> Owasp-bayarea at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-
>>> bayarea
>> 
> 
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20160302/b7d747c6/attachment-0001.html>


More information about the Owasp-topten mailing list