Talk:Top 10 2007

Document format
Does it make sense to be distributing an editable .DOC file? I believe there are currently 5 zero-day vulnerabilities in .DOC files to which MS has provided no patch. Leaving a .doc file on a WIKI page where anyone can edit it just seems dangerous to me.

Can we convert it to .RTF? I believe there are currently no known threats in that format and it is nearly as rich as .DOC.

It would be especially embarrassing if all of us security wizards got ourselves infected with a nasty virus or something because of this...


 * The idea that you're concerned with the .doc file format, but not the fact that you have 0 security/oversight in place WRT who becomes a contributer/editor of the content is what's most alarming to me.
 * Thanks for the comments, but you just don't understand how it works. The OWASP model follows the Wikipedia model. Anyone can edit, and there is a large number of reviewers reviewing all the changes on the entire site. We are massively more productive this way than we were before.  In addition, there were extensive rounds of comments and review of the draft. Jeff Williams 21:27, 19 June 2007 (EDT)

Organization

 * My primary concern however, and the reason that I'm posting this, is the fact that the list of items in the "Top 10" doesn't seem to follow any standardized format as far as criterion is concerned. Number 4 and Number 10 describe the exact same security flaw, and they should be combined to be #1, considering that since each flaw amounts to the same essential level of vulnerability the only way to reasonably order or rank them would be by how common they are. Number 7, 8, and 9 are also all basically the same issue, and again should be higher on the list of vulnerabilities, considering they're probably the second or third most common issue.
 * You obviously didn't read the paper to understand the methodology. We specifically split #4 and #10 to make sure that people deal with both. They are very different problems in the code. And to say #7 (authentication/sessions), #8 (crypto storage), and #9 (SSL) are the same issue is just ridiculous.  As far as what the most common issue is, please show us the data or leave it alone. Jeff Williams 21:27, 19 June 2007 (EDT)

OS Privileges

 * One issue I do not see mentioned, that relates directly to items 4 and 10, is internal permissions/ownership of files/processes. If the Apache and or Tomcat user owns all of the files, or god forbid has root access, anyone connected to the site has full permissions to any and all directories/files available under the site's home directory. And can even effect the system outside of the site's directory
 * This is a legitimate comment, but it applies across a number of flaws, particularly injection. We've chosen to focus on problems in custom code and de-emphasized the platform hardening concerns. We're not trying to minimize the importance of network and platform security at all, but there are lots of other forums for that. Jeff Williams 21:27, 19 June 2007 (EDT)

Vulnerabilities vs Attacks

 * Although the OWASP top 10 includes the most serious web vulnerabilities, CSRF is an attack as OWASP said in (https://www.owasp.org/index.php/Category:Attack) and it is not mentioned in OWASP vulnerabilities (https://www.owasp.org/index.php/Category:Vulnerability).

Titles Clearance

 * I cannot find some OWASP top 10 titles in the OWASP vulnerabilities page (https://www.owasp.org/index.php/Category:Vulnerability), and also in the OWASP attacks page (https://www.owasp.org/index.php/Category:Attack). I think all of the OWASP top 10 titles must be in OWASP vulnerabilities page with their exact title name.