This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Top 10 2007"
From OWASP
(Should we have an editable .DOC file on a WIKI page with all the known vulnerabilities in the format?) |
(→Vulnerabilities vs Attacks) |
||
(6 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
+ | == Document format == | ||
+ | |||
Does it make sense to be distributing an editable .DOC file? I believe there are currently 5 zero-day vulnerabilities in .DOC files to which MS has provided no patch. Leaving a .doc file on a WIKI page where anyone can edit it just seems dangerous to me. | Does it make sense to be distributing an editable .DOC file? I believe there are currently 5 zero-day vulnerabilities in .DOC files to which MS has provided no patch. Leaving a .doc file on a WIKI page where anyone can edit it just seems dangerous to me. | ||
Line 4: | Line 6: | ||
It would be especially embarrassing if all of us security wizards got ourselves infected with a nasty virus or something because of this... | It would be especially embarrassing if all of us security wizards got ourselves infected with a nasty virus or something because of this... | ||
+ | |||
+ | * The idea that you're concerned with the .doc file format, but not the fact that you have 0 security/oversight in place WRT who becomes a contributer/editor of the content is what's most alarming to me. | ||
+ | ** Thanks for the comments, but you just don't understand how it works. The OWASP model follows the Wikipedia model. Anyone can edit, and there is a large number of reviewers reviewing all the changes on the entire site. We are massively more productive this way than we were before. In addition, there were extensive rounds of comments and review of the draft. [[User:Jeff Williams|Jeff Williams]] 21:27, 19 June 2007 (EDT) | ||
+ | |||
+ | == Organization == | ||
+ | |||
+ | * My primary concern however, and the reason that I'm posting this, is the fact that the list of items in the "Top 10" doesn't seem to follow any standardized format as far as criterion is concerned. Number 4 and Number 10 describe the exact same security flaw, and they should be combined to be #1, considering that since each flaw amounts to the same essential level of vulnerability the only way to reasonably order or rank them would be by how common they are. Number 7, 8, and 9 are also all basically the same issue, and again should be higher on the list of vulnerabilities, considering they're probably the second or third most common issue. | ||
+ | ** You obviously didn't read the paper to understand the methodology. We specifically split #4 and #10 to make sure that people deal with both. They are very different problems in the code. And to say #7 (authentication/sessions), #8 (crypto storage), and #9 (SSL) are the same issue is just ridiculous. As far as what the most common issue is, please show us the data or leave it alone. [[User:Jeff Williams|Jeff Williams]] 21:27, 19 June 2007 (EDT) | ||
+ | |||
+ | == OS Privileges == | ||
+ | |||
+ | * One issue I do not see mentioned, that relates directly to items 4 and 10, is internal permissions/ownership of files/processes. If the Apache and or Tomcat user owns all of the files, or god forbid has root access, anyone connected to the site has full permissions to any and all directories/files available under the site's home directory. And can even effect the system outside of the site's directory | ||
+ | ** This is a legitimate comment, but it applies across a number of flaws, particularly injection. We've chosen to focus on problems in custom code and de-emphasized the platform hardening concerns. We're not trying to minimize the importance of network and platform security at all, but there are lots of other forums for that. [[User:Jeff Williams|Jeff Williams]] 21:27, 19 June 2007 (EDT) | ||
+ | |||
+ | == Vulnerabilities vs Attacks == | ||
+ | * Although the OWASP top 10 includes the most serious web vulnerabilities, CSRF is an attack as OWASP said in (https://www.owasp.org/index.php/Category:Attack) and it is not mentioned in OWASP vulnerabilities (https://www.owasp.org/index.php/Category:Vulnerability). --[[User:Irsdl|irsdl]] 14:53, 4 December 2008 (EST) | ||
+ | |||
+ | == Titles Clearance == | ||
+ | * I cannot find some OWASP top 10 titles at the OWASP vulnerabilities page (https://www.owasp.org/index.php/Category:Vulnerability), and also at the OWASP attacks page (https://www.owasp.org/index.php/Category:Attack). I think all of the OWASP top 10 titles must be in OWASP vulnerabilities page with their exact name. --[[User:Irsdl|irsdl]] 14:52, 4 December 2008 (EST) |
Latest revision as of 19:53, 4 December 2008
Document format
Does it make sense to be distributing an editable .DOC file? I believe there are currently 5 zero-day vulnerabilities in .DOC files to which MS has provided no patch. Leaving a .doc file on a WIKI page where anyone can edit it just seems dangerous to me.
Can we convert it to .RTF? I believe there are currently no known threats in that format and it is nearly as rich as .DOC.
It would be especially embarrassing if all of us security wizards got ourselves infected with a nasty virus or something because of this...
- The idea that you're concerned with the .doc file format, but not the fact that you have 0 security/oversight in place WRT who becomes a contributer/editor of the content is what's most alarming to me.
- Thanks for the comments, but you just don't understand how it works. The OWASP model follows the Wikipedia model. Anyone can edit, and there is a large number of reviewers reviewing all the changes on the entire site. We are massively more productive this way than we were before. In addition, there were extensive rounds of comments and review of the draft. Jeff Williams 21:27, 19 June 2007 (EDT)
Organization
- My primary concern however, and the reason that I'm posting this, is the fact that the list of items in the "Top 10" doesn't seem to follow any standardized format as far as criterion is concerned. Number 4 and Number 10 describe the exact same security flaw, and they should be combined to be #1, considering that since each flaw amounts to the same essential level of vulnerability the only way to reasonably order or rank them would be by how common they are. Number 7, 8, and 9 are also all basically the same issue, and again should be higher on the list of vulnerabilities, considering they're probably the second or third most common issue.
- You obviously didn't read the paper to understand the methodology. We specifically split #4 and #10 to make sure that people deal with both. They are very different problems in the code. And to say #7 (authentication/sessions), #8 (crypto storage), and #9 (SSL) are the same issue is just ridiculous. As far as what the most common issue is, please show us the data or leave it alone. Jeff Williams 21:27, 19 June 2007 (EDT)
OS Privileges
- One issue I do not see mentioned, that relates directly to items 4 and 10, is internal permissions/ownership of files/processes. If the Apache and or Tomcat user owns all of the files, or god forbid has root access, anyone connected to the site has full permissions to any and all directories/files available under the site's home directory. And can even effect the system outside of the site's directory
- This is a legitimate comment, but it applies across a number of flaws, particularly injection. We've chosen to focus on problems in custom code and de-emphasized the platform hardening concerns. We're not trying to minimize the importance of network and platform security at all, but there are lots of other forums for that. Jeff Williams 21:27, 19 June 2007 (EDT)
Vulnerabilities vs Attacks
- Although the OWASP top 10 includes the most serious web vulnerabilities, CSRF is an attack as OWASP said in (https://www.owasp.org/index.php/Category:Attack) and it is not mentioned in OWASP vulnerabilities (https://www.owasp.org/index.php/Category:Vulnerability). --irsdl 14:53, 4 December 2008 (EST)
Titles Clearance
- I cannot find some OWASP top 10 titles at the OWASP vulnerabilities page (https://www.owasp.org/index.php/Category:Vulnerability), and also at the OWASP attacks page (https://www.owasp.org/index.php/Category:Attack). I think all of the OWASP top 10 titles must be in OWASP vulnerabilities page with their exact name. --irsdl 14:52, 4 December 2008 (EST)