Hello Matt, My only real concern is that the owasp top ten is now based on 'Risks' and has removed information/data disclosure/leakage. Speaking as someone who has worked in a risk management team, I see the leakage of customer/sensitive data as one of the most serious "Risks" that exist for a company, and it is something that is happening more and more. I brought this to the attention of the Top Ten List back in November (see #5) https://lists.owasp.org/pipermail/owasp-topten/2009-November/000487.html and it wasn't really addressed.
If the top ten was based on attacks and weaknesses (or just vulnerabilities) rather than 'risks' then I could see the argument for removal. Other than that, it is nice to see this document maturing/improving. Regarding your comment on open redirects I've seen these many times in the real worldand they ARE being used by individuals to phish users. CSRF was used by the samy worm (not what I'd call a well organized motivated attacker as much as a Poc) in combination with xss so I'd say it is used by both audiences (the abuse case is really application/functionality specific). Regards, - Robert A. http://www.webappsec.org/ http://www.cgisecurity.com/ http://www.qasec.com/ > > ------=_NextPart_000_02D7_01CAE13B.A677CE70 > Content-Type: multipart/alternative; > boundary="----=_NextPart_001_02D8_01CAE13B.A677CE70" > > > ------=_NextPart_001_02D8_01CAE13B.A677CE70 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: 7bit > > I have not seen many people comment on the new OWASP top Ten. What does > every one think. I blogged about it from my perspective. I am interested in > hearing about other people's experience with it. > > > > http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-to-owasp-to > p-10-in.html > > > > > > Matt Parsons, MSM, CISSP > > 315-559-3588 Blackberry > > 817-294-3789 Home office > > "Do Good and Fear No Man" > > Fort Worth, Texas > > A.K.A The Keyboard Cowboy > > <mailto:mparsons1...@gmail.com> mailto:mparsons1...@gmail.com > > <http://www.parsonsisconsulting.com> http://www.parsonsisconsulting.com > > <http://www.o2-ounceopen.com/o2-power-users/> > http://www.o2-ounceopen.com/o2-power-users/ > > <http://www.linkedin.com/in/parsonsconsulting> > http://www.linkedin.com/in/parsonsconsulting > > <http://parsonsisconsulting.blogspot.com/> > http://parsonsisconsulting.blogspot.com/ > > <http://www.vimeo.com/8939668> http://www.vimeo.com/8939668 > > <http://twitter.com/parsonsmatt> http://twitter.com/parsonsmatt > > > > > > 0_0_0_0_250_281_csupload_6117291 > > > > untitled > > > > > > > > > > > > > > > > > ------=_NextPart_001_02D8_01CAE13B.A677CE70 > Content-Type: text/html; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = > xmlns:o=3D"urn:schemas-microsoft-com:office:office" = > xmlns:w=3D"urn:schemas-microsoft-com:office:word" = > xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; = > xmlns=3D"http://www.w3.org/TR/REC-html40";> > > <head> > <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = > charset=3Dus-ascii"> > <meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)"> > <!--[if !mso]> > <style> > v\:* {behavior:url(#default#VML);} > o\:* {behavior:url(#default#VML);} > w\:* {behavior:url(#default#VML);} > .shape {behavior:url(#default#VML);} > </style> > <![endif]--> > <style> > <!-- > /* Font Definitions */ > @font-face > {font-family:Calibri; > panose-1:2 15 5 2 2 2 4 3 2 4;} > @font-face > {font-family:Tahoma; > panose-1:2 11 6 4 3 5 4 4 2 4;} > /* Style Definitions */ > p.MsoNormal, li.MsoNormal, div.MsoNormal > {margin:0in; > margin-bottom:.0001pt; > font-size:11.0pt; > font-family:"Calibri","sans-serif";} > a:link, span.MsoHyperlink > {mso-style-priority:99; > color:blue; > text-decoration:underline;} > a:visited, span.MsoHyperlinkFollowed > {mso-style-priority:99; > color:purple; > text-decoration:underline;} > p.MsoAcetate, li.MsoAcetate, div.MsoAcetate > {mso-style-priority:99; > mso-style-link:"Balloon Text Char"; > margin:0in; > margin-bottom:.0001pt; > font-size:8.0pt; > font-family:"Tahoma","sans-serif";} > span.BalloonTextChar > {mso-style-name:"Balloon Text Char"; > mso-style-priority:99; > mso-style-link:"Balloon Text"; > font-family:"Tahoma","sans-serif";} > span.EmailStyle19 > {mso-style-type:personal; > font-family:"Calibri","sans-serif"; > color:windowtext;} > span.EmailStyle20 > {mso-style-type:personal-reply; > font-family:"Calibri","sans-serif"; > color:#1F497D;} > .MsoChpDefault > {mso-style-type:export-only; > font-size:10.0pt;} > @page Section1 > {size:8.5in 11.0in; > margin:1.0in 1.0in 1.0in 1.0in;} > div.Section1 > {page:Section1;} > --> > </style> > <!--[if gte mso 9]><xml> > <o:shapedefaults v:ext=3D"edit" spidmax=3D"3074" /> > </xml><![endif]--><!--[if gte mso 9]><xml> > <o:shapelayout v:ext=3D"edit"> > <o:idmap v:ext=3D"edit" data=3D"1" /> > </o:shapelayout></xml><![endif]--> > </head> > > <body lang=3DEN-US link=3Dblue vlink=3Dpurple> > > <div class=3DSection1> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'>I have not seen many = > people > comment on the new OWASP top Ten. What does every one think. I blogged = > about it > from my perspective. I am interested in hearing about other = > people’s > experience with it. <o:p></o:p></span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'><o:p> </o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'><a > href=3D"http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-= > to-owasp-top-10-in.html">http://parsonsisconsulting.blogspot.com/2010/04/= > parsons-response-to-owasp-top-10-in.html</a><o:p></o:p></span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'><o:p> </o:p></span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'><o:p> </o:p></span></p> > > <div> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'>Matt Parsons, MSM, = > CISSP<o:p></o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'>315-559-3588 = > Blackberry<o:p></o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'>817-294-3789 Home = > office <o:p></o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'>"Do Good and = > Fear No > Man" <o:p></o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'>Fort Worth, = > Texas<o:p></o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'>A.K.A The Keyboard = > Cowboy<o:p></o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'><a > href=3D"mailto:mparsons1...@gmail.com";><span = > style=3D'color:blue'>mailto:mparsons1...@gmail.com</span></a><o:p></o:p><= > /span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'><a > href=3D"http://www.parsonsisconsulting.com";><span = > style=3D'color:blue'>http://www.parsonsisconsulting.com</span></a><o:p></= > o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'><a > href=3D"http://www.o2-ounceopen.com/o2-power-users/";><span = > style=3D'color:blue'>http://www.o2-ounceopen.com/o2-power-users/</span></= > a><o:p></o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'><a > href=3D"http://www.linkedin.com/in/parsonsconsulting";><span = > style=3D'color:blue'>http://www.linkedin.com/in/parsonsconsulting</span><= > /a><o:p></o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'><a > href=3D"http://parsonsisconsulting.blogspot.com/";><span = > style=3D'color:blue'>http://parsonsisconsulting.blogspot.com/</span></a><= > o:p></o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'><a > href=3D"http://www.vimeo.com/8939668";><span = > style=3D'color:blue'>http://www.vimeo.com/8939668</span></a><o:p></o:p></= > span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'><a > href=3D"http://twitter.com/parsonsmatt";><span = > style=3D'color:blue'>http://twitter.com/parsonsmatt</span></a><o:p></o:p>= > </span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'><o:p> </o:p></span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'><o:p> </o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'><img border=3D0 = > width=3D80 > height=3D90 id=3D"Picture_x0020_1" = > src=3D"cid:image001.jpg@01CAE13B.A4FF1120" > alt=3D"0_0_0_0_250_281_csupload_6117291"><o:p></o:p></span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'><o:p> </o:p></span></p> > > <p class=3DMsoNormal><span style=3D'color:#1F497D'><img border=3D0 = > width=3D75 > height=3D75 id=3D"Picture_x0020_2" = > src=3D"cid:image002.jpg@01CAE13B.A4FF1120" > alt=3Duntitled><o:p></o:p></span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'><o:p> </o:p></span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'><o:p> </o:p></span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'> <o:p></o:p></span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'> <o:p></o:p></span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'><o:p> </o:p></span></p> > > <p class=3DMsoNormal><span = > style=3D'color:#1F497D'> </span><o:p></o:p></p> > > </div> > > <p class=3DMsoNormal><o:p> </o:p></p> > > </div> > > </body> > > </html> > > ------=_NextPart_001_02D8_01CAE13B.A677CE70-- > > ------=_NextPart_000_02D7_01CAE13B.A677CE70 > Content-Type: image/jpeg; > name="image001.jpg" > Content-Transfer-Encoding: base64 > Content-ID: <image001....@01cae13b.a4ff1120> > > /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf > IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7 > Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCABaAFADASIA > AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA > AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 > ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm > p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA > AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx > BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK > U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3 > uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCbHNOA > oxzTsADmsyhKrTalaW7FZJwGHUDJNV9Xv/s0XlRk+Y4/IVzixSStwckmkM6lNZsHOPtAH+8CKuxy > LKoZGDKe6nNcqmjXEi7ghp6W9/prFo98Y745B+ooK5WdVg0FTWfp2sx3REMibZsdjw1aWT/c/Wgk > jINJg5qQlv7n6035s/c/WmITbzSleKeF5pLj5YJGHUKTQM5a4zfajIRkrnH4VsWFhHb4bZuz+YrL > 00fvGcjpzXQWzS4D/u0HbzD1qJM3pxW5dQArgrj8KgubcMhyuRVy3uFZcTFM+q1WvbjzD8sywxAY > LEVFzosjlNQtnspxcQjBVg1dRbt59vHKOjqG/Osq/tme2fbJ5yEfe9K0dBQnRrbP90/zNaJnJUjZ > ljZTSlWtlN2DNMyIlXmm3AUQPuOF2nNSqOaSWPzI2Q/xKRTYzn7GFbe6eP72CMVspaJK2+RA5689 > qzrcrJNCwxuA2t65FdDbrsjyw7VkztgkUGgZrtYwcZ5yaSK2LtJGyCRe6noanOyWctJgAHgZ5pYi > sE+YyGQ/w56UjWyKksAijcBdoPUVb0uMJpsC+i/1p98A0RIGKktEKWkSnqFFVE5a9h5FMIqU0w1Z > zECDmn4/eD6U1B8wqUD96v0NMDD1C3Sx1OKdMhZidw7Zret5VkgPfI4qnrdoLjTJD0aIb1P0rP0y > +bYIZDhsZU+oqJI6KUjXtrZ4nZoZNgJycgGi5gkdlZ5NwUggBcU63mUnDvt9qS8mjVflck+lSdN1 > YZeOHCRjq3H51cxgYHQVgNdn7QknJSJtzY71vQyx3ECTRMGjkXcpHcVcVocdV3YhphqRhTDwaZkQ > oPnH1qSR1jkVnYKu05JOAOlcVf8Aj2NMrp8BLZ+/L0/KuYvtbvtTkzc3Lyei5wB9BVpE3O917xZZ > W9tJa2ji4mdSu5furn37motISO/sIwDhgBtPevOjKS3XgV1/hC8DRSQs3KnIrWFNS0D2jhqdUguI > fklTfjvikdJ7o+XGu0HqavwX8RULcgDA/wBYen40XN6m3y7crt7uO/0qFQnzctjd1ocvNcx9R8qw > s3GQRGpJNcdo/jK+0hjHhZ7YsT5Tn7ufQ9q1vFt6Y9O2Kcea+0e4HWuCkyGz61tUpqFoo5lUdR8z > PT7T4gaTcYFxHNbE9yNy/mK3LXUbK/UNaXUUw9EbJ/LrXie4g0+K4kikDRuysDwVODWPKVcYXO4/ > WhXZScClwM9BTgBnoKsQgbJrd8MzbNSWMniUbfx7ViqB6CtLSABqduR/z1X+dXTdpImSujuxMy3s > EdwSkbD5GycE9wcdP1rTuxifyxGEXaPu9CfWpLKON9XgDIrDzV6j/aWk2jfc8Di5cfhgVte1exjv > TOC8azA30MAPEceSPcn/AOsK5ZuRiuh8WDOu3Gf9n/0EVhlRtPArOrrNmsPhK5yfwoA5FSEDI4FO > 2jI4HWsij//Z > > ------=_NextPart_000_02D7_01CAE13B.A677CE70 > Content-Type: image/jpeg; > name="image002.jpg" > Content-Transfer-Encoding: base64 > Content-ID: <image002....@01cae13b.a4ff1120> > > /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf > IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7 > Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCABLAEsDASIA > AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA > AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 > ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm > p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA > AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx > BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK > U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3 > uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD2Wmlh > xzQ7ALknHua5tb+81rUkOn3DQxW8m2eJxtZCDzuGPmDDjHBHWgTLGoeIJI7pILKxlumDlH24yhUj > cMeu07h2NRNpGsXtlGtzf7JlkkyVyBgnCsNpHI6gdOa3khRJHkSNVZ8bmA5OOmakHFAWMBvCsbz3 > jtdTbb2RXkA4wVbcMHt0pYtAvLSWy+zai/2e0ZiYnzmQMSSSc8nkYz7mt+igLHPJeajpMUa3yyXI > IyzjGQzNhIw3APqSa17HUIL+1jniPDrnaeo5wf1BqaWGOZCkiK6MMFWGQR9KyTocFtq41RLhoESL > bJGvAYDG0H0VRn5RxzQGqNqiqWm6pb6pbme3DhA5UF1xnB6j1FXaBmHr1zOTBaQIriV9siSRkpIp > 6oWHCnHIzx71p2lrFawrFEG2gdWYsx9Mk8njjn0rH0d0utbv5VhvIHVyJPNfCSdlwn0HBroAMDFA > lrqcR428b3/hjVILS0tbeVJYPMJl3ZByR2PtXO/8Lb1n/oH2X/j/APjTfi1/yMVp/wBeg/8AQjXC > 1RzTnJSsjvP+Ft6z/wBA+x/8f/xo/wCFt6z/ANA+x/8AH/8AGuDoosR7SXc71PizrDSop0+ywzAf > x+v1r1fAZee4r5uh/wBfH/vr/OvpIfdH0pNG9KTle5z99/xK9XtpYEuJTIPKjtoUVYkTqx6de/b0 > rfDZAI5FUdYH/Esmb9+Qo3Fbdtrv/sg+9V9Ku3g0yCF7C5jMa7QknzMAOBk9+MUjTYreF3jcTGK8 > urlcJzOQfLJBJTjuM810NQQSK0skaoy+WQCSuAxIzkHvU9A0eR/Fr/kYrP8A69B/6E1cLXefFdGk > 8TWMaKWd7YKqjuS5wK5efS7C3nNo2qFrxGCMqwEx7s4Kh88455xjiqRyTV5My6K2rnw8lqI1e+xJ > NO0MR8k+VkPtO58/K3fHpTh4ft/tN5E15cgWUYMo+xHzMlwuAueQc5B9KZPKzGh/18f++v8AOvpI > fdH0r56vdOGmaj9ma5SSSOcIVCkEDgg89OvSvoVfuj6VLNqPUhvGVbOZnwFEbFs56Y9ufyrzyK7s > 7ZPLbUbVzuJ3NDcOcEkjndyOeD6V6PKQEYnoBzxmq0MdrNCkkcUYRlBUGPBx24PSkbNEV7eyWjJi > JBF1eaRsKo9Pr0xV2KRZY1dCGVhkMO4qO6tYrmILJGr7TuTcMgN2qlZXUlu6213MWkKqWyAAjH+E > Y65PI9BQPqed/FVpU8TWEsSvuS2DKwXOCHOK5me/sp7hr06VcJdu/mNtmPlB85LBduefTOOa982o > 4yyqfqKPLj/uL+VO5m6eu54Q2sQsl6Bp1wWvnJmQynyyC+7IXHDY4zmnS6/Itm9taW93F+4EKTNK > TIo3h+WAHAxgCvdfKj/55r+VHlR/881/Ki4vZvufOUaStcxsUkYmQEkgknmvo8fdH0pvlRf880/I > VWu75bb92pVpmH7uMnG49gT0GTxk0FQhyiXN8YnCRxeex4Ko43Ke2Qe1WwOOSKzdOtHeX7fdwxi5 > Zdm4Lhtvbd6HtxWngelIsWql7Yx3UbcBJSpUSqBvUH0PardFAzIiS8sI4beJFlUFY0DE/dAyzE9u > egq9b3sMyylSVELFXLDABHXmrB6Gqt5FGLG4QKArI2QO+RzQIkS8t5NvlzRsGG4YYcj1pp1C1whW > ZG3527TnOBz0rEv7WCHU4Yo4wqGAx7R/dIfP8utO0ALd2sV3OqvP50h34xghdv8AICgLlt9Va5jj > +xoR58e+GRhkEg8qR247+9SW+n+cVnug+9trbC/Tvtb+8Ac49Kuw28NtFshjCLycD1qVeg+lAC0U > UUDP/9k= > > ------=_NextPart_000_02D7_01CAE13B.A677CE70-- > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
