Perimeter
11/30/2012
05:09 PM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

IAM: The Reason Why OWASP Top 10 Doesn't Change

OWASP's AppSec conference is easily one of the best in the infosec industry. Where will it be held this year? Why not Punxsutawney?

OWASP's AppSec conference is easily one of the best in the infosec industry. Where will it be held this year? Why not Punxsutawney?

Some years ago, Chris Hoff asked why the OWASP Top 10 doesn't change. Yes, Appsec feels like Groundhog Day, but it's not because the people at OWASP are sitting on their hands. The OWASP Top 10 catalogs the top Web vulnerabilities that all applications face, and it's reviewed and updated on a regular basis. But Hoff is right: It mostly does not change.

To refresh your memory, here is the OWASP Top 10 for 2010:

    1. Injection (e.g. SQL Injection)
    2. Cross-Site Scripting
    3. Broken Authentication and Session Management
    4. Insecure Direct Object Reference
    5. Cross-Site Request Forgery
    6. Security Misconfiguration
    7. Insecure Cryptographic Storage
    8. Failure to Restrict URL Access
    9. Insufficient Transport Layer Protection
    10. Unvalidated Redirects and Forwards
After pondering this, I think I have come on a reason why, fundamentally, it does not change. The top two issues, injection (like SQL Injection) and XSS, both have to do with defensive programming. Developers are simply not trained and, consequently, do not know how to avoid these errors. There are fixes available, but they often go unimplemented.

But those are two of the top 10. What about the other eight? Here it's clear that poor identity and access management patterns and practice are a leading factor.

Broken Authentication, Session Management, and Insufficient Transport Layer Protection have been in the OWASP Top 10 for the past decade: They are all examples of authentication vulnerabilities.

Likewise, Insecure Direct Object Reference, Cross-Site Request Forgery, and Failure to Restrict URL Access -- all authorization vulnerabilities -- have spent the past decade in the OWASP Top 10. The 2010 edition of the Top 10 added another authorization vulnerability, Unvalidated Redirects and Forwards.

Where does this leave us? The majority of issues (six of 10) in the OWASP Top 10 are a direct result of identity and access management failures. If you want to escape AppSec Groundhog Day, then you have to change your focus. Addressing IAM architecture, strengthening authentication, and ensuring authorization coverage are not compliance issues or just architecture issues. They are core security concerns that need need your attention.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio