Secure Coding mailing list archives
[WEB SECURITY] RE: I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it fro
From: robert at webappsec.org (robert at webappsec.org)
Date: Wed, 21 Apr 2010 13:41:11 -0400 (EDT)
Hello Matt, My only real concern is that the owasp top ten is now based on 'Risks' and has removed information/data disclosure/leakage. Speaking as someone who has worked in a risk management team, I see the leakage of customer/sensitive data as one of the most serious "Risks" that exist for a company, and it is something that is happening more and more. I brought this to the attention of the Top Ten List back in November (see #5) https://lists.owasp.org/pipermail/owasp-topten/2009-November/000487.html and it wasn't really addressed. If the top ten was based on attacks and weaknesses (or just vulnerabilities) rather than 'risks' then I could see the argument for removal. Other than that, it is nice to see this document maturing/improving. Regarding your comment on open redirects I've seen these many times in the real worldand they ARE being used by individuals to phish users. CSRF was used by the samy worm (not what I'd call a well organized motivated attacker as much as a Poc) in combination with xss so I'd say it is used by both audiences (the abuse case is really application/functionality specific). Regards, - Robert A. http://www.webappsec.org/ http://www.cgisecurity.com/ http://www.qasec.com/
------=_NextPart_000_02D7_01CAE13B.A677CE70
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_02D8_01CAE13B.A677CE70"
------=_NextPart_001_02D8_01CAE13B.A677CE70
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I have not seen many people comment on the new OWASP top Ten. What does
every one think. I blogged about it from my perspective. I am interested in
hearing about other people's experience with it.
http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-to-owasp-to
p-10-in.html
Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
"Do Good and Fear No Man"
Fort Worth, Texas
A.K.A The Keyboard Cowboy
<mailto:mparsons1980 at gmail.com> mailto:mparsons1980 at gmail.com
<http://www.parsonsisconsulting.com> http://www.parsonsisconsulting.com
<http://www.o2-ounceopen.com/o2-power-users/>
http://www.o2-ounceopen.com/o2-power-users/
<http://www.linkedin.com/in/parsonsconsulting>
http://www.linkedin.com/in/parsonsconsulting
<http://parsonsisconsulting.blogspot.com/>
http://parsonsisconsulting.blogspot.com/
<http://www.vimeo.com/8939668> http://www.vimeo.com/8939668
<http://twitter.com/parsonsmatt> http://twitter.com/parsonsmatt
0_0_0_0_250_281_csupload_6117291
untitled
------=_NextPart_001_02D8_01CAE13B.A677CE70
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; =
xmlns=3D"http://www.w3.org/TR/REC-html40";>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"3074" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><span style=3D'color:#1F497D'>I have not seen many =
people
comment on the new OWASP top Ten. What does every one think. I blogged =
about it
from my perspective. I am interested in hearing about other =
people’s
experience with it. <o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-=
to-owasp-top-10-in.html">http://parsonsisconsulting.blogspot.com/2010/04/=
parsons-response-to-owasp-top-10-in.html</a><o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<div>
<p class=3DMsoNormal><span style=3D'color:#1F497D'>Matt Parsons, MSM, =
CISSP<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'>315-559-3588 =
Blackberry<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'>817-294-3789 Home =
office <o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'>"Do Good and =
Fear No
Man" <o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'>Fort Worth, =
Texas<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'>A.K.A The Keyboard =
Cowboy<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"mailto:mparsons1980 at gmail.com"><span =
style=3D'color:blue'>mailto:mparsons1980 at gmail.com</span></a><o:p></o:p><=
/span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://www.parsonsisconsulting.com";><span =
style=3D'color:blue'>http://www.parsonsisconsulting.com</span></a><o:p></=
o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://www.o2-ounceopen.com/o2-power-users/";><span =
style=3D'color:blue'>http://www.o2-ounceopen.com/o2-power-users/</span></=
a><o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://www.linkedin.com/in/parsonsconsulting";><span =
style=3D'color:blue'>http://www.linkedin.com/in/parsonsconsulting</span><=
/a><o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://parsonsisconsulting.blogspot.com/";><span =
style=3D'color:blue'>http://parsonsisconsulting.blogspot.com/</span></a><=
o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://www.vimeo.com/8939668";><span =
style=3D'color:blue'>http://www.vimeo.com/8939668</span></a><o:p></o:p></=
span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://twitter.com/parsonsmatt";><span =
style=3D'color:blue'>http://twitter.com/parsonsmatt</span></a><o:p></o:p>=
</span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'><img border=3D0 =
width=3D80
height=3D90 id=3D"Picture_x0020_1" =
src=3D"cid:image001.jpg at 01CAE13B.A4FF1120"
alt=3D"0_0_0_0_250_281_csupload_6117291"><o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'><img border=3D0 =
width=3D75
height=3D75 id=3D"Picture_x0020_2" =
src=3D"cid:image002.jpg at 01CAE13B.A4FF1120"
alt=3Duntitled><o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'> <o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'> <o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'> </span><o:p></o:p></p>
</div>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
</body>
</html>
------=_NextPart_001_02D8_01CAE13B.A677CE70--
------=_NextPart_000_02D7_01CAE13B.A677CE70
Content-Type: image/jpeg;
name="image001.jpg"
Content-Transfer-Encoding: base64
Content-ID: <image001.jpg at 01CAE13B.A4FF1120>
/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf
IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7
Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCABaAFADASIA
AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA
AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3
ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm
p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA
AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx
BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK
U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCbHNOA
oxzTsADmsyhKrTalaW7FZJwGHUDJNV9Xv/s0XlRk+Y4/IVzixSStwckmkM6lNZsHOPtAH+8CKuxy
LKoZGDKe6nNcqmjXEi7ghp6W9/prFo98Y745B+ooK5WdVg0FTWfp2sx3REMibZsdjw1aWT/c/Wgk
jINJg5qQlv7n6035s/c/WmITbzSleKeF5pLj5YJGHUKTQM5a4zfajIRkrnH4VsWFhHb4bZuz+YrL
00fvGcjpzXQWzS4D/u0HbzD1qJM3pxW5dQArgrj8KgubcMhyuRVy3uFZcTFM+q1WvbjzD8sywxAY
LEVFzosjlNQtnspxcQjBVg1dRbt59vHKOjqG/Osq/tme2fbJ5yEfe9K0dBQnRrbP90/zNaJnJUjZ
ljZTSlWtlN2DNMyIlXmm3AUQPuOF2nNSqOaSWPzI2Q/xKRTYzn7GFbe6eP72CMVspaJK2+RA5689
qzrcrJNCwxuA2t65FdDbrsjyw7VkztgkUGgZrtYwcZ5yaSK2LtJGyCRe6noanOyWctJgAHgZ5pYi
sE+YyGQ/w56UjWyKksAijcBdoPUVb0uMJpsC+i/1p98A0RIGKktEKWkSnqFFVE5a9h5FMIqU0w1Z
zECDmn4/eD6U1B8wqUD96v0NMDD1C3Sx1OKdMhZidw7Zret5VkgPfI4qnrdoLjTJD0aIb1P0rP0y
+bYIZDhsZU+oqJI6KUjXtrZ4nZoZNgJycgGi5gkdlZ5NwUggBcU63mUnDvt9qS8mjVflck+lSdN1
YZeOHCRjq3H51cxgYHQVgNdn7QknJSJtzY71vQyx3ECTRMGjkXcpHcVcVocdV3YhphqRhTDwaZkQ
oPnH1qSR1jkVnYKu05JOAOlcVf8Aj2NMrp8BLZ+/L0/KuYvtbvtTkzc3Lyei5wB9BVpE3O917xZZ
W9tJa2ji4mdSu5furn37motISO/sIwDhgBtPevOjKS3XgV1/hC8DRSQs3KnIrWFNS0D2jhqdUguI
fklTfjvikdJ7o+XGu0HqavwX8RULcgDA/wBYen40XN6m3y7crt7uO/0qFQnzctjd1ocvNcx9R8qw
s3GQRGpJNcdo/jK+0hjHhZ7YsT5Tn7ufQ9q1vFt6Y9O2Kcea+0e4HWuCkyGz61tUpqFoo5lUdR8z
PT7T4gaTcYFxHNbE9yNy/mK3LXUbK/UNaXUUw9EbJ/LrXie4g0+K4kikDRuysDwVODWPKVcYXO4/
WhXZScClwM9BTgBnoKsQgbJrd8MzbNSWMniUbfx7ViqB6CtLSABqduR/z1X+dXTdpImSujuxMy3s
EdwSkbD5GycE9wcdP1rTuxifyxGEXaPu9CfWpLKON9XgDIrDzV6j/aWk2jfc8Di5cfhgVte1exjv
TOC8azA30MAPEceSPcn/AOsK5ZuRiuh8WDOu3Gf9n/0EVhlRtPArOrrNmsPhK5yfwoA5FSEDI4FO
2jI4HWsij//Z
------=_NextPart_000_02D7_01CAE13B.A677CE70
Content-Type: image/jpeg;
name="image002.jpg"
Content-Transfer-Encoding: base64
Content-ID: <image002.jpg at 01CAE13B.A4FF1120>
/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf
IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7
Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCABLAEsDASIA
AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA
AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3
ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm
p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA
AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx
BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK
U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD2Wmlh
xzQ7ALknHua5tb+81rUkOn3DQxW8m2eJxtZCDzuGPmDDjHBHWgTLGoeIJI7pILKxlumDlH24yhUj
cMeu07h2NRNpGsXtlGtzf7JlkkyVyBgnCsNpHI6gdOa3khRJHkSNVZ8bmA5OOmakHFAWMBvCsbz3
jtdTbb2RXkA4wVbcMHt0pYtAvLSWy+zai/2e0ZiYnzmQMSSSc8nkYz7mt+igLHPJeajpMUa3yyXI
IyzjGQzNhIw3APqSa17HUIL+1jniPDrnaeo5wf1BqaWGOZCkiK6MMFWGQR9KyTocFtq41RLhoESL
bJGvAYDG0H0VRn5RxzQGqNqiqWm6pb6pbme3DhA5UF1xnB6j1FXaBmHr1zOTBaQIriV9siSRkpIp
6oWHCnHIzx71p2lrFawrFEG2gdWYsx9Mk8njjn0rH0d0utbv5VhvIHVyJPNfCSdlwn0HBroAMDFA
lrqcR428b3/hjVILS0tbeVJYPMJl3ZByR2PtXO/8Lb1n/oH2X/j/APjTfi1/yMVp/wBeg/8AQjXC
1RzTnJSsjvP+Ft6z/wBA+x/8f/xo/wCFt6z/ANA+x/8AH/8AGuDoosR7SXc71PizrDSop0+ywzAf
x+v1r1fAZee4r5uh/wBfH/vr/OvpIfdH0pNG9KTle5z99/xK9XtpYEuJTIPKjtoUVYkTqx6de/b0
rfDZAI5FUdYH/Esmb9+Qo3Fbdtrv/sg+9V9Ku3g0yCF7C5jMa7QknzMAOBk9+MUjTYreF3jcTGK8
urlcJzOQfLJBJTjuM810NQQSK0skaoy+WQCSuAxIzkHvU9A0eR/Fr/kYrP8A69B/6E1cLXefFdGk
8TWMaKWd7YKqjuS5wK5efS7C3nNo2qFrxGCMqwEx7s4Kh88455xjiqRyTV5My6K2rnw8lqI1e+xJ
NO0MR8k+VkPtO58/K3fHpTh4ft/tN5E15cgWUYMo+xHzMlwuAueQc5B9KZPKzGh/18f++v8AOvpI
fdH0r56vdOGmaj9ma5SSSOcIVCkEDgg89OvSvoVfuj6VLNqPUhvGVbOZnwFEbFs56Y9ufyrzyK7s
7ZPLbUbVzuJ3NDcOcEkjndyOeD6V6PKQEYnoBzxmq0MdrNCkkcUYRlBUGPBx24PSkbNEV7eyWjJi
JBF1eaRsKo9Pr0xV2KRZY1dCGVhkMO4qO6tYrmILJGr7TuTcMgN2qlZXUlu6213MWkKqWyAAjH+E
Y65PI9BQPqed/FVpU8TWEsSvuS2DKwXOCHOK5me/sp7hr06VcJdu/mNtmPlB85LBduefTOOa982o
4yyqfqKPLj/uL+VO5m6eu54Q2sQsl6Bp1wWvnJmQynyyC+7IXHDY4zmnS6/Itm9taW93F+4EKTNK
TIo3h+WAHAxgCvdfKj/55r+VHlR/881/Ki4vZvufOUaStcxsUkYmQEkgknmvo8fdH0pvlRf880/I
VWu75bb92pVpmH7uMnG49gT0GTxk0FQhyiXN8YnCRxeex4Ko43Ke2Qe1WwOOSKzdOtHeX7fdwxi5
Zdm4Lhtvbd6HtxWngelIsWql7Yx3UbcBJSpUSqBvUH0PardFAzIiS8sI4beJFlUFY0DE/dAyzE9u
egq9b3sMyylSVELFXLDABHXmrB6Gqt5FGLG4QKArI2QO+RzQIkS8t5NvlzRsGG4YYcj1pp1C1whW
ZG3527TnOBz0rEv7WCHU4Yo4wqGAx7R/dIfP8utO0ALd2sV3OqvP50h34xghdv8AICgLlt9Va5jj
+xoR58e+GRhkEg8qR247+9SW+n+cVnug+9trbC/Tvtb+8Ac49Kuw28NtFshjCLycD1qVeg+lAC0U
UUDP/9k=
------=_NextPart_000_02D7_01CAE13B.A677CE70--
Current thread:
- I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it from my perspective. I am interested in hearing about other peoples experience with it Matt Parsons (Apr 21)
- [WEB SECURITY] RE: I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it fro robert at webappsec.org (Apr 21)
- [WEB SECURITY] RE: I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it fro Jim Manico (Apr 21)
- [WEB SECURITY] RE: I have not seen many people comment robert at webappsec.org (Apr 21)
- [WEB SECURITY] RE: I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it fro Jim Manico (Apr 21)
- [WEB SECURITY] RE: I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it fro robert at webappsec.org (Apr 21)