This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Automated Threats to Web Applications"
(Renamed page) |
(Definitions added) |
||
Line 102: | Line 102: | ||
Once the ontology is complete, relevant mitigations and protective controls will be identified. | Once the ontology is complete, relevant mitigations and protective controls will be identified. | ||
− | = Bibliography = | + | = Project Scope = |
+ | |||
+ | = Project Definitions = | ||
+ | |||
+ | == Automated Threats to Web Applications == | ||
+ | |||
+ | Threat events to web applications undertaken using automated actions. | ||
+ | |||
+ | An attack that can be achieved without the web is out of scope. | ||
+ | |||
+ | |||
+ | == Risk == | ||
+ | |||
+ | Definitions from [http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf Risk Taxonomy, Technical Standard, The Open Group, 2009] | ||
+ | |||
+ | : Action | ||
+ | ;An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent. | ||
+ | |||
+ | :Threat | ||
+ | Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures. | ||
+ | |||
+ | : Threat Agent | ||
+ | ;Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm. | ||
+ | |||
+ | : Threat Event | ||
+ | ;Occurs when a threat agent acts against an asset. | ||
+ | |||
+ | |||
+ | == Web applications == | ||
+ | |||
+ | ; Application layer | ||
+ | : "Layer 7” in the [http://en.wikipedia.org/wiki/OSI_model OSI model] and “application layer” in the [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP model] | ||
+ | |||
+ | ; Application | ||
+ | : Software that performs a business process i.e. not system software | ||
+ | : NIST SP-800-37 “A software program hosted by an information system”, see [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2] | ||
+ | |||
+ | ; Web | ||
+ | : The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) [http://www.w3.org/TR/webarch/ Architecture of the World Wide Web, Volume One, W3C] The first three specifications for Web technologies defined URLs, HTTP, and HTML [http://www.w3.org/Help/ Help and FAQ, W3C] | ||
+ | |||
+ | ; Web application | ||
+ | : An application delivered over the web | ||
+ | |||
+ | |||
+ | |||
+ | = Project Bibliography = | ||
=FAQs= | =FAQs= |
Revision as of 13:52, 3 April 2015
- Main
- Ontology
- Weaknesses
- Mitigations and Protective Controls
- Project Scope
- Project Definitions
- Project Bibliography
- FAQs
- Acknowledgements
- Road Map and Getting Involved
Automated Threats to Web ApplicationsWeb applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Some examples commonly referred to are:
Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues. Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components. LicensingAll the materials are free to use. They are licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. © OWASP Foundation |
What Is This?Information and resources to help web application owners defend against automated threats What Isn't It?
Project ObjectiveThis project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available. Project LeaderContributorsPlease help and your name can appear here. The project needs web application owner's threat information and reviewers. Related Projects |
News and Events
Classifications |
Work is currently underway on identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects.
Once the ontology is complete, the contributing weaknesses to each threat will be identified.
Once the ontology is complete, relevant mitigations and protective controls will be identified.
Automated Threats to Web Applications
Threat events to web applications undertaken using automated actions.
An attack that can be achieved without the web is out of scope.
Risk
Definitions from Risk Taxonomy, Technical Standard, The Open Group, 2009
- Action
- An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent.
- Threat
Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures.
- Threat Agent
- Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm.
- Threat Event
- Occurs when a threat agent acts against an asset.
Web applications
- Application layer
- "Layer 7” in the OSI model and “application layer” in the TCP/IP model
- Application
- Software that performs a business process i.e. not system software
- NIST SP-800-37 “A software program hosted by an information system”, see NISTIR 7298 rev 2
- Web
- The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) Architecture of the World Wide Web, Volume One, W3C The first three specifications for Web technologies defined URLs, HTTP, and HTML Help and FAQ, W3C
- Web application
- An application delivered over the web
This page is in the process of creation
- How do you define "web"?
- Answer
- How do you define "application"?
- Answer
- How do you define "automated threat"?
- Answer
- What is an "ontology"?
- Answer
- Isn't this another bug (vulnerability) list?
- Answer
- I thought "XYZ" already did that?
- Answer
- How can I help?
- Answer
Contributors
The project's roadmap was updated in March 2015:
- Feb-March 2015: Research on automated threats to web applications
- April 2015: Application owner interviews and creation of initial project outputs
- May 2015: Publication of outputs and request for review/data
- Jun-Sep 2015: Gathering of additional contributions, updates to outputs, and translations.
Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. If you would like to find out more, or have knowledge to contribute, please contact, me directly or using the project's mailing list:
- Colin Watson
- (awaiting project mailing list to be set up)