WebApp Sec mailing list archives
Re: OWASP Top Ten - My Case For Updating It
From: "Jeff Williams" <jeff.williams () owasp org>
Date: Sun, 10 Jul 2005 22:35:40 -0400
There's no question that the Top Ten doesn't cover every topic in web application security. That wouldn't make sense for a Top Ten document. Still, you might want to go back and actually check what it does cover, as it clearly covers several of the examples you mention below. The Top Ten is for raising awareness and focusing executives on this aspect of security.
Web app security professionals are much better served by the OWASP Guide (Version 2.0 to be released at Black Hat -- a major rework!) and the OWASP Testing project.
--Jeff----- Original Message ----- From: rajesh dilli
To: Mark Curphey ; 'Saqib Ali' Cc: webappsec () securityfocus com ; 'Jeff Williams' Sent: Sunday, July 10, 2005 8:39 PM Subject: RE: OWASP Top Ten - My Case For Updating It Hi Mark and others in the list,First of all i would thank Mark in bringing this discussion in the forefront. I've been a application security analyst for a major firm for more than a year reviewing applications from various domains. I had been using OWASP Top 10 as a baseline for securing the applications and had observed various misconceptions (which i'm quoting below) on them from the people who know and follow them.
1) First it's not the complete list of problems that a reviewer should look for in web applications, but as a baseline to standardize their safeguards.There are much more problems outside Top 10 which if exploited can have more impact than the Top 10.
2) Vendor tools marketing that their tools comply with OWASP Top 10 (many of them evan incluse policies such as OWASP Top 10 and Sarbanes Oxley). I know many people out there who just use many of these commercial tools to review their web applications. Do you really think a automated scan of your web application can solve all the problems relating to security? how many of the people know what a scanner can do and cannot do. Perhaps they should read Jeremiah Grossman's article on "Challenges of Automated Web Application Scanning" especially the slide "Humans vs Scanners".
3) Misconception of the OWASP topics. How many of the topics in OWASP Top 10 detail all the problems in the specific domain e.g Broken Access control and Session Management is itself a whole topic and has various attack patterns like parameter tampering, invoking common javascript functions, hidden html/jsp/asp/.. files. But the OWASP discussion on this only emphasizes on userid's and passwords. I'm not againt OWASP here, but we should take it to the next level detailing what are the ways in such issues (e.g Broken Access Control) can arise
4) No Emphasize on topics outside the Top 10. e.g File upload in web applications, using insecure mechanisms for sensitive parts of web applications (e.g handling authentication control in falsh files). I've come across many of these design/programmatic issues where OWASP doesn't comment on (excuse me if i've overlooked OWASP Top 10 ). If it's not possible to include all these issues under Top 10 then we can consider a broad range of standards for Web application security which goes beyond the Top 10 and serves as a complete issues known to occur in web applications.
Any comments/critics on my above topics are most welcome. Thanks Rajesh Dilli Mark Curphey <mark () curphey com> wrote: With respect I disagree about your disagreement ;-) http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004- 29,GGLD:en&q=owasp+and+pci First link (view HTML for easier browsing) and look for Section 6.5. It may be implied but without any credible alternatives, implication is really a requirement. -----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Sunday, July 10, 2005 2:25 AM To: Mark Curphey Cc: webappsec () securityfocus com; Jeff Williams Subject: Re: OWASP Top Ten - My Case For Updating It On 7/9/05, Mark Curphey wrote:
I think the OWASP Top Ten needs a serious re-think.
i agree!!! :)
novice companies will use the Top Ten as a testing yard stick. The PCI adoption is a dangerous issue that demonstrates this point. When MasterCard were hacked the first thing the company did was to say they passed the PCI tests. This will be the case with the OWASP Top Ten.
i disagree on this point. I don't think this will ever be the case. PCI is a standard that Merchants and Service Providers are "required" to follow. This is not the case of the OWASP Top Ten. OWASP does not require any website to implement the Top 10, neither can it. Thus OWASP Top 10 can not be used as a scapegoat. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/Sell on Yahoo! Auctions - No fees. Bid on great items.
Current thread:
- OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Ralf Durkee (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Andrew van der Stock (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Pete Herzog (Jul 10)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It James E. Powell (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It Frank O'Dwyer (Jul 13)
- <Possible follow-ups>
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Jeff Robertson (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It Dean H. Saxe (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 11)
- Re: Re: OWASP Top Ten - My Case For Updating It rajeshkumardilli (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It maburns (Jul 12)
- Re: OWASP Top Ten - My Case For Updating It focus (Jul 13)