[Owasp_top_10_privacy_risks_project] OWASP Top 10 Privacy Risks presented at IPEN in Berlin / Description available
colin.watson at owasp.org
Mon Nov 3 14:05:18 UTC 2014
Thank you, that has helped explain P9 further for me. "Session
expiration" made me think of a software weakness, but it sounds like
it is meant to be more related to "ongoing collection of information"
- beyond what is necessary.
Yes I see what you mean by P4 and P8 too. Classification is hard, and
it is good this list exists at all.
Thank you for your help,
On 1 November 2014 16:09, Lukasz Olejnik <lukasz.olejnik at inria.fr> wrote:
> Dear Colin,
> I will took the privilege and answer some of the concerns.
> Privacy problems are often interwinded.
> P9 is slightly different from P1. P1 refers to insecurity and is more general. However, P9 allows the collection (aggregation) of user data for a potential later use and is not strictly related to security. My understanding is that in a survey, people addressed some past media coverage of these kind of problems. I respect the opinion from the survey, although I am not fully sure if having this particular problem as a separate number on the list is truly justified. That said, it's good we have at least some "mediums" ;)
> That said, I extensively discussed overlaps with Florian, as there appear to be some more evident examples (e.g. P4 and P8 are somewhat redundant and could be simplified in one point, same for P10 and P1 ["insecurity"]). As said, we did discuss it with Florian and agreed that any changes at this point are possible, but in the next revision of the list (update). In this case I am looking forward to working on that.
> ----- Original Message -----
>> From: "Colin Watson" <colin.watson at owasp.org>
>> To: "Florian Stahl" <florian.stahl at owasp.org>
>> Cc: "owasp top 10 privacy risks project" <owasp_top_10_privacy_risks_project at lists.owasp.org>
>> Sent: Saturday, 1 November, 2014 1:00:07 PM
>> Subject: Re: [Owasp_top_10_privacy_risks_project] OWASP Top 10 Privacy Risks presented at IPEN in Berlin /
>> Description available
>> Congratulation on the recent activities.
>> Thank you for the additional explanation about P6.
>> But I was also wondering about P9 and P10:
>> P9 - Missing or insufficient Session Expiration
>> P10 - Insecure Data Transfer
>> Aren't these already part of "P1 - Web Application Vulnerabilities"
>> which is described as "his risk also encompasses the OWASP Top 10 List
>> of web application vulnerabilities and the risks resulting from
>> them.". If not, how are P9 and P10 different please?
>> Project Name/Label
>> This is web application privacy risks. Could there be a mobile app
>> version too? I wonder if it is different?
>> Use of OWASP Mailing List
>> CCing this to the project mailing list, as the original message wasn't
>> sent there.
>> Also, I asked a question on the mailing list in August:
>> It was never replied to. I don't mind being ignored ;-) but wondered
>> is there some other place we are meant to contribute and share (e.g.
>> ZAP uses a Google Group)? If so, can you set an auto-responder on the
>> OWASP mailing list to say it is not used please.
>> On 1 November 2014 08:25, Florian Stahl <florian.stahl at owasp.org> wrote:
>> > Dear members of the OWASP Top 10 Privacy Risks project,
>> > I just want to inform you about recent activities:
>> > The initial presentation of our Top 10 Privacy Risks took place at the
>> > first
>> > IPEN workshop in Berlin. Read about it in the IAPP blog
>> > We created a description of our Top 10 Risks. Thanks to Lukasz Olejnik from
>> > Inria Privatics and Tim Gough from the Guardian for their support. Feel
>> > free
>> > to send feedback.
>> > We updated the title of P6 (former Collection of data not required for the
>> > user-consented purpose) to "Collection of data not required for primary
>> > purpose" for better understanding and improved English.
>> > Now we aim to reach the status of an OWASP Lab project which represents
>> > projects that have produced an OWASP reviewed deliverable of value
>> > Next presentations of our project will be on 9 December at the German OWASP
>> > Day in Hamburg and at the IAPP Global Privacy Summit in Washington DC (4-6
>> > March 2015). Let me know if you will be there.
>> > Have a good weekend,
>> > Florian
>> > --
>> > Project Leader OWASP Top 10 Privacy Risks
>> > Lead Consultant msg systems
>> > Munich / Germany
>> > Project: https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project
>> > Company: www.msg-systems.com
>> > Blog: www.securitybydesign.de
>> Owasp_top_10_privacy_risks_project mailing list
>> Owasp_top_10_privacy_risks_project at lists.owasp.org
More information about the Owasp_top_10_privacy_risks_project