[Owasp-topten] [Owasp-leaders] OWASP Top Ten

Daniel Harvey daniel.harvey at owasp.org
Mon May 15 17:00:30 UTC 2017


Not to hijack this thread but I know I sent a message to the top ten team
back when the draft was made available and still have not received a
response. So if you are recommending that I ask that you verify they
communicate better

On May 15, 2017 11:40 AM, "Larry Conklin" <larry.conklin at owasp.org> wrote:

Nikola, I would like to keep this thread on my original proposal. Perhaps
you can draw up a specific proposal and submit it to Top Ten Team. I think
having individuals proposals for the Top Ten would enhance how each is
treated with it's own discussion points.

Larry

On Mon, May 15, 2017 at 5:07 AM, Nikola Milosevic <
nikola.milosevic at owasp.org> wrote:

> Hello,
>
> Let me add my 2 cents, apart from the fact that this is very to the point,
> with data evidence and very helpful.
>
> However, I have problems with all newly added items, since they seem to me
> overly generic. In the past OWASP Top 10 used to be quite specific in terms
> of attacks. Now we have *Insufficient Attack Protection* and *Underprotected
> APIs. *I really struggle to get over this two. I mean if you add
> underprotected APIs, why don't you have underprotected Web applications and
> underprotected infrastructure and we are done with OWASP Top 3. No need for
> 10 issues anymore. Underprotected API is including SQL injection, XSS, and
> all other attack vectors that can come over API. At least that seems to me
> from the document. Why not identify one that is the most common? Or make a
> new project, something like OWASP API Top 10, as we have OWASP mobile Top
> 10. And insufficient attack protection. Like what does that mean? We can
> finish OWASP Top 1 with that one. It covers all. Then you go description
> and it is about automated attack protection and blocking. At least the name
> seems to me to be wrong. Maybe call it "No brute force attack blocking", or
> maybe something similar in case it is not meant to be only about automatic
> brute force attacks.  As well probably it does not make sense to point out
> again critiques that came about this, such as http://www.skeletonscribe.n
> et/2017/04/abusing-owasp.html
>
> My kind suggestion would be to modify these two things not to be so
> generic as they are right now.
>
> Pozdrav/Best regards,
>
> Nikola Milošević
> OWASP Seraphimdroid project leader
> nikola.milosevic at owasp.org
> OWASP - Open Web Application Security Project
> <https://www.owasp.org/index.php/Main_Page>
> OWASP Seraphimdroid Project
> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>
> On Mon, May 15, 2017 at 12:09 AM, Larry Conklin <larry.conklin at owasp.org>
> wrote:
>
>> Dave and group hope you find this feedback on the Top Ten to be
>> constructive.
>>
>> Feedback on candidate release OWASP TOP 2017
>>
>> A5- Security Misconfiguration.
>>
>>
>>
>> Stating that security misconfiguration in not enough. It does bring forth
>> the issues for developers and security professionals that important
>> security vulnerabilities exist in server and application configurations. It
>> does not address some large common security misconfiguration. OWASP Top Ten
>> cannot not address every misconfiguration and it shouldn’t. But I feel that
>> somehow within the OWASP Top ten we should address major Security
>> misconfigurations that are prevalent to web sites.
>>
>>
>>
>> Websites, mail servers, and other TLS-dependent services fall exactly
>> within this gray zone. Right now we have a self-created crisis. Users are
>> taught wrongly that https means safe and the green lock in the url means
>> the web site is safe.  Yet evidence shows web sites are moving to TLS with
>> misconfiguration settings.
>>
>>
>>
>> Some basic statistics. Per weak DH website. https://weakdh.org
>>
>>
>>
>>
>>
>> Protocol
>>
>> Vulnerable to Logjam
>>
>> HTTPS — Top 1 Million Domains
>>
>> 8.4%
>>
>> HTTPS — Browser Trusted Sites
>>
>> 3.4%
>>
>> SMTP+StartTLS — IPv4 Address Space
>>
>> 14.8%
>>
>> POP3S — IPv4 Address Space
>>
>> 8.9%
>>
>> IMAPS — IPv4 Address Space
>>
>> 8.4%
>>
>>
>>
>>  “The Logjam attack allows a man-in-the-middle attacker to downgrade
>> vulnerable TLS connections to 512-bit export-grade cryptography. This
>> allows the attacker to read and modify any data passed over the connection.
>> The attack is reminiscent of the FREAK attack, but is due to a flaw in the
>> TLS protocol rather than an implementation vulnerability, and attacks a
>> Diffie-Hellman key exchange rather than an RSA key exchange. *The attack
>> affects any server that supports **DHE_EXPORT** ciphers, and affects all
>> modern web browsers. 8.4% of the Top 1 Million domains were initially
>> vulnerable*."
>>
>>
>>
>>
>>
>> Vulnerable if most common 1024-bit group is broken
>>
>> HTTPS — Top 1 Million Domains
>>
>> 17.9%
>>
>> HTTPS – Browser Trusted Sites
>>
>> 6.6%
>>
>> IPv4 Address Space
>>
>> 25.7%
>>
>> %IKEv1 (IPsec VPNs) — IPv4 Address Space
>>
>> 66.1%
>>
>>
>>
>> “Millions of HTTPS, SSH, and VPN servers all use the same prime numbers
>> for Diffie-Hellman key exchange. Practitioners believed this was safe as
>> long as new key exchange messages were generated for every connection.
>> However, the first step in the number field sieve—the most efficient
>> algorithm for breaking a Diffie-Hellman connection—is dependent only on
>> this prime. After this first step, an attacker can quickly break individual
>> connections. This computation against the most common 512-bit prime used
>> for TLS and demonstrate that the Logjam attack can be used to downgrade
>> connections to 80% of TLS servers supporting DHE_EXPORT. *It has been
>> estimate that an academic team can break a 768-bit prime and that a
>> nation-state can break a 1024-bit prime*. Breaking the single, most
>> common 1024-bit prime used by web servers would allow passive eavesdropping
>> on connections to 18% of the Top 1 Million HTTPS domains. A second prime
>> would allow passive decryption of connections to 66% of VPN servers and 26%
>> of SSH servers. A close reading of published NSA leaks shows that the
>> agency's attacks on VPNs are consistent with having achieved such a break.”
>>
>>
>>
>> One issue we have with these vulnerabilities if the risk level
>> Nation-state resources are needed. After Shadow Brokers source code leak
>> and WannaCry ransomeware outbreak we have to review what vulnerabilities
>> actually require national-state resources.
>>
>> The question is how do we dissimulate this information? I feel that the
>> breadth and reach of the OWASP Top Ten needs to have a layer beneath it on
>> some items/topics such as A5 Security Misconfiguration. I realize that some
>> topics like XSS have some many variables that we can’t reach the depth of
>> discussion needed. But on a sub-topic like SSL in A5 Security
>> Misconfiguration this can help OWASP Top Ten shine brighter and have a far
>> reaching affect.
>>
>>
>>
>> Reference: https://www.trustworthyinternet.org/ssl-pulse/
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170515/afb3b286/attachment-0001.html>


More information about the Owasp-topten mailing list