Network Top 10

[cribbar <crib.bar () hotmail co uk>]

Hi All, 

Can I ask, does there exist any equivalent to OWASP's Top 10 Project (which
is targetted at application security), for network infrastructure? Or would
anyone be willing to list your own "Top 10" common vulnerabilities that you
come across on network based audits, as opposed to application audits? I.e.
excessive ACL's, missing client side patches, weak local passwords etc?  

I think the OWASP Top 10 is an excellent resource to demonstrate to
management a Top 10 security issues with application security in 2010, but
I've never seen anything similar for Network Top 10 for most critical
risks/common weaknesses. Especially I would be interested in the prevelance
you are coming up against such risks/weaknesses in Network based reviews.
Thats one of the best things on the OWASP Top 10, it gives it you straight,
a Top 10 with a) exploitability, b) prevalance (i.e. common/uncommon), c)
detectability and the most important IMO, d) risk impact. 

If such a project or review exists for network infrastructure I would love
to see a copy.

OWASP Top 10 for those not specialist in app security:

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Look forward to any replies...
-- 
View this message in context: http://old.nabble.com/Network-Top-10-tp30427834p30427834.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------