Slashdot Mirror
OWASP Top 10 2013 Released
hypnosec writes "OWASP's Top 10, the Open Web Application Security Project's top 10 most critical web application security risks, has been updated and a new list for 2013 published. Last updated back in 2010, the organization has published the new list wherein the importance of cross-site scripting (XSS) and cross-site request forgery (CRSF) has been diluted a little, while risks related to broken session management and authentication have moved up a notch. Code injection, which was the topmost risk in 2010, has retained its position in the updated list. The 2013 Top Ten list (PDF) has been compiled based on half a million vulnerabilities discovered in thousands of applications from hundreds of vendors."
Blacks don't think anything is their fault. Having more of themselves in prison than college at any given time is magically not their fault. Black kids that study and try to learn and do good in school to get ahead are beaten up. Did you think it was racist white kids doing that to then? Noooo... It's mainstream black kids. They beat up the black kids who study because they're "acting white". But somehow, that isn't their fault.
The crack epidemic in the 80s affected mostly blacks. Why? Because racist whites held guns to their heads and forced them to smoke crack? Nooo.... Because of their decisions to use crack. That they made. More than anybody else did. But somehow, that isn't their fault.
Black women disproportionally get most abortions. They disproportionally get knocked up out of wedlock and have kids they can't afford. If they thought abortion was expensive, just think about what it costs to raise a child. If they thought abortion was cheap, compare what birth control would have cost. Did racist whites hold guns to their heads and force them to copulate and get inseminated? Noooo.... But somehow, that isn't their fault.
Black fathers disproportionally abandon their children, leaving them as bastards raised by single mothers. Even though this causes all sorts of probelms, making the kids more likely to go to jail, to not go to college, to do drugs and alcohol, to be criminals, all sorts of shit. Did racist white people hold guns to these "father's" heads and make them abandon their children? Noooo... But somehow, that isn't their fault.
But if you don't like niggers and OBJECTIVELY EVALUATE WHO THEY ARE AND WHAT THEY DO and then draw YOUR OWN conclusions... somehow, that's YOUR fault.
Says the obese, mongoloid whose mom sneaks out during the day and night to get banged by big black cock.
The offered list of vulnerabilities is in a pdf.
https://www.owasp.org/index.php/Top10
They forget the most critical security risk;
basing your application in the United States or using any services with US companies or companies with US based headquarters.
You get hacked automatically, and oftentimes legally, by the NSA and various other outfits.
The really sad part about the OWASP Top 10 lists is that they don't change very much. In a perfect world, none of the 2010 top 10 would be on this list, because they would be solved, but the fact of the matter is that most organizations don't care.
I am officially gone from
1. I don't understand why XSS and Injection are listed as separate items. XSS attacks are by definition injection attacks. I think separating this out de-emphasizes an important conceptual understanding applicable to a lot more domains than databases and html. To their credit they say as much.
Referer checking should not have been kept out of the mitigation section for CSRF.
"Using components with known vulnerabilities" (A9) appears to be a subset of "Security misconfiguration" (A5)
The Detectibility scale is screwed up in my opinion. Every single item is either average or easy except Difficult designation of 'Using components with known vulnerabilities' (A9)... How hard can it be to check current versions of libraries your system is using? What makes A5 easy and A9 hard?
"Sensitive data exposure" (A6) I don't think belongs in the list. It is a political item... yea encrypting sounds good but at some point you need to store a decryption key to decrypt what is encrypted - management of keys and physical systems security and infrastructure is important but I'm not sure it fits within the context of the other items which are about preventing specific attacks not about how to make being owned less bad.
What I think is missing is focus on huge problem of tricking users via phishing / "homographic" attacks. First and foremost the whole concept of typing a password into a web form to login is fundementally fucked up. Its right up there with fake padlock icons displayed on web sites and "two-factor" banking site picturegram logins. The industry needs to fix this shit because they are making things worse by manipulating their users into thinking they are safe with totally irrelevant security assertions which phishers are more than happy to leverage to maximum effect.
Users should be trained to ONLY type passwords into special dialouges within their browsers. We deseperatly need a web authentication scheme with channel bindings that don't suck ass (e.g. sent in clear or offline brute force attacks). The closest thing to deployed that fits the bill I know of is TLS-SRP.