WebApp Sec mailing list archives
Re: OWASP Top Ten - My Case For Updating It
From: "Frank O'Dwyer" <fod () littlecatZ com>
Date: Wed, 13 Jul 2005 21:42:12 +0100
Mark Curphey wrote:
[...] Todays OWASP Top 10 consists of; Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross Site Scripting (XSS) Flaws Buffer Overflows Injection Flaws Improper Error Handling Insecure Storage Denial of Service Insecure Configuration Management If you examine the overall picture you will see that the list is actually a mix of 1, Security Mechanisms, 2, Attack Patterns and 3, Vulnerabilities.
Actually at least 9 out of 10 of those are vulnerabilities, or classes
of them, and that is one source of the problem.. Basically people are
going to use any such list of vulnerabilities like a 'default permit'
policy - i.e. they will assume that anything that's not on the list must
be OK. It doesn't matter if it's top 10 or the top 1,000 vulnerabilities
you list, this approach is fundamentally flawed.
What is actually needed is the list of right things to do. Tell people
to assume that anything not on that list is bogus - i.e. default to deny
- and then you would have something much more defensible. ("Default
deny" is also one of the right things to do, incidentally :-).
I would suggest "most useful countermeasures', or 'most useful security
mechanisms', or something like that, myself. People who are trying to
get things done don't give a damn about threats and vulnerabilities,
they want to know what to do. Not what not to do. Think about
authentication or session management for example - there are practically
infinite ways to do it wrong and a handful of ways to do it right. The
list of ways to do it right is both a lot shorter and a lot more useful.
(I would have said "top 10 countermeasures" but that's another source of
problems. No doubt the "top 10" phrase is good marketing, but it is
plainly implies that you will cover most problems if you adhere to it -
this is pandering to morons who are looking for a quick checklist of
boxes to tick. So why is anyone surprised when the morons show up in
droves and use it as exactly that?.)
[...] T10 - Things a company should have as part of its software security program T10 - Things to look for in a protection system T10 - Things to look for in an assessment system
This is all good stuff, too. (Although again it suffers from the 'top 10' syndrome!) Cheers, Frank
Current thread:
- OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Ralf Durkee (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Andrew van der Stock (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Pete Herzog (Jul 10)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It James E. Powell (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It Frank O'Dwyer (Jul 13)
- <Possible follow-ups>
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Jeff Robertson (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It Dean H. Saxe (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 11)
- Re: Re: OWASP Top Ten - My Case For Updating It rajeshkumardilli (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It maburns (Jul 12)
- Re: OWASP Top Ten - My Case For Updating It focus (Jul 13)