Saturday, April 24, 2010

OWASP Top Ten and Risk

There are *several* risks in the new OWASP Top 10 which have the technical impact of disclosing sensitive information, including Injection, Insecure Direct Object References, and Failure to Restrict URL Access. The T10 isn't organized by attack or impact (such as information leakage), because it leads to a combinatorial explosion of risks. Instead, we've organized the T10 around the missing or broken security control involved with each risk. We believe that this is the simplest thing to measure and manage, and is to most directly applicable to software developers.

Specifically with regard to information leakage, the traditional use of this term (see e.g. http://projects.webappsec.org/Information-Leakage) focuses on implementation details, such as IP addresses and stack traces -- not sensitive business or personal information. While the release of such implementation details isn't good, and it is very common, in most cases it is not a risk by itself, but simply makes another risk worse. Based on the risk factors we were able to determine from the data we received, information leakage (as defined above) didn't make the top ten.

Hopefully that helps explain why it's not in the list, but remember that the T10 is by necessity a generalization, and what's important to your organization may differ.

--Jeff Williams

No comments: