20070131

OWASP Top 10 2007 Update RC1

Link

Well, it's been three years coming, and the OWASP Top 10 is about to have a new revision. This version has some major improvements over the 2004 version, but some of the same problems are still there. I'll give a high-level overview of the improvements here and in future posts go over individual items in the Top 10 as I get more time to really digest the document.

Although security practitioners tend to gravitate to other taxonomies of threats, vulnerabilities, flaws, weaknesses, attacks, etc., the OWASP Top 10 is a very well-known listing of common web application vulnerabilities. So when you present your findings to a customer, you end up trying to shoe-horn your findings into one of the Top 10, which generally isn't hard because in the old version, there are some really broad categories. Most web developers have at least seen the OWASP Top 10, but might not have seen some of the more complete or better-structured taxonomies.

Major improvements:

  • Most of the recommendations are substantially better. Most of them recommend using output filtering or a protecting API. For example, the XSS recommendations are business rule input validation, output filtering, then whitelist not blacklist. SQL Injection, they recommend parameterized queries, rather than input validation. (Look out WAF vendors!)
  • Most everything looks more like what we call "vulnerabilities" now. I still consider command injection, cross-site scripting, etc. to be threats, not vulnerabilities, but worded properly, you could say "vulnerable to Cross-site Scripting". While still not perfect, it's a major improvement of the previous hodge-podge of threats, vulnerabilities, and best-practices.
  • All the vulnerabilities are actually web-specific vulnerabilities now. While buffer overruns could potentially occur in web applications, I'm not so sure they were one of the 10 most dangerous flaws in web applications, and I know they weren't specific to web applications.
  • Most of the vulnerabilities come from the MITRE Vulnerability Trends, rather than from some list from somebody's head.
Now for the stuff that didn't improve:
  • Some specific items are still truly a subset of other flaws. For example, Cross-site scripting is its own vulnerability, not considered a subset of Command Injection. XSRF has its own vulnerability, it's not a subset of session validation (not positive that's necessarily wrong - the whole point of XSRF is that it works in spite of session checks, but I digress....)
  • It still mixes threats with vulnerabilities. Cross-site scripting is something the bad guys do (threat). Insecure Cryptographic Storage is something the good guys fail to do (vulnerability).
  • It actually includes language and/or framework specific fixes. While this is a good thing, OWASP doesn't have a governing board of approving recommendations from the community of additional framework-specific fixes, so you're limited to recommendations the authors could come up with. If your developers read this, they may conclude the listing of fixes is exhaustive. I recommend they have an approval panel and allow the community to submit recommendations based on language, platform, or framework. (I know, this is not what the Top 10 is for, but developers do come here first for their recommendations on how to solve the problems.
As I get to read the individual items, I'll post comments here. It's RC1, so there's still time to fix things, but this is markedly better than the 2004 release.

2 comments:

  1. Sylvan,

    thank you for the feedback. I will try to incorporate many of your suggestions into RC2.

    We would love to have feedback from the frameworks / languages specialists. That's why it's a release candidate rather than a final draft.

    Realistically, what we really need is a Top 10 things to do right, rather than being the Top 10 things which went wrong last year. However, the T10 is a particular type of document and that can't change overly much.

    Anyway, again thanks for your feedback - it is greatly appreciated.

    thanks,
    Andrew van der Stock
    Executive Director, OWASP

    ReplyDelete
  2. You actually hit the nail on the head with "10 Things to do Right", but that would be another document altogether. So many developers already see the OWASP Top 10 as the de-facto standard for all things web application security. Shame on the developers for seeing their role as limited to 10 items. Shame on the industry for not informing them otherwise.

    As I said, the 2007 RC1 is already substantially better than the 2004 version. I'll be trying to formulate any suggestions into one document that is a little more coherent than a bunch of blog posts.

    ReplyDelete