[Owasp-topten] Feedback on Top 10 2017 RC2 released

io blake at hotwan.com
Sat Oct 21 21:02:57 UTC 2017


Hi Team,

For A4: XML External Entity (XXE) - I see a lot of that in the field though in terms of lack of configuration. Surprised to see little research has be done with embedded / inline files in XML.

Surprised we are including XML, where JSON implementations are rapidly overtaking it. No mention of HTML5 feature rich specific vulns neither. I guess more security research needs to be looked into these areas to make it to top 10.

#########

I think the A8: Insecure Serialization is a good one with a big potential for further eye-opening research across different programming languages. A sign of our times in 2017.

#########

I’m on the fence about A:10 Insufficient Logging and Monitoring. Though I see it everywhere in code and lack of, misconfigurations, etc. I  really don’t see it as an ‘ Legit' Attack Vector as each of the rest of the Top 10 categories are. It’s most always a Low finding anyways and geared more for a different profession such as Incident Response -which is Out-of-Scope.

########

Glad to see  "Insufficient Attack Protection” was removed. -That one seemed like a thinly veiled vendor pitch from some product pushing scum.

#######

Questions, comments, Stimulating Ideas???

-Blake Turrentine


    
> On Oct 21, 2017, at 4:22 AM, Ricardo Iramar dos Santos <ricardo.iramar at owasp.org> wrote:
> 
> Amazing updates! Congratulations to the team!
> 
> On Fri, Oct 20, 2017 at 7:17 PM, Neil Smithline <neil.smithline at owasp.org <mailto:neil.smithline at owasp.org>> wrote:
> We have just released RC2 at https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%202017%20RC2%20Final.pdf <https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%202017%20RC2%20Final.pdf>
> 
> We have worked extensively to validate the methodology, obtained a great deal of data on over 114,000 apps, and obtained qualitative data via survey by 550 community members on the two new categories – insecure deserialization and insufficient logging and monitoring. 
> 
> We strongly urge for any corrections or issues to be logged at GitHub - https://github.com/OWASP/Top10/issues <https://github.com/OWASP/Top10/issues> 
> 
> Through public transparency, we provide traceability and ensure that all voices are heard during this final month before publication.
> 
> (We will be reaching out to translators shortly.)
> 
> Andrew van der Stock
> Brian Glas
> Neil Smithline
> Torsten Gigler
> 
> -- 
> Neil Smithline
> OWASP Top-10 Co-Leader
> @neil_smithline <https://twitter.com/neil_smithline>
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> 
> 
> 
> 
> -- 
> Ricardo Iramar dos Santos
> http://ricardo-iramar.com <http://ricardo-iramar.com/>
> https://www.linkedin.com/in/iramar <https://www.linkedin.com/in/iramar>
> skype: ricardo.iramar
> twitter: ricardo_iramar
> "Yesterday is history, tomorrow is a mystery, but today is a gift. That is why it is called the present."
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org <mailto:Owasp-topten at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-topten <https://lists.owasp.org/mailman/listinfo/owasp-topten>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20171021/7c653d7f/attachment.html>


More information about the Owasp-topten mailing list