Perimeter
11/30/2012
05:09 PM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

IAM: The Reason Why OWASP Top 10 Doesn't Change

OWASP's AppSec conference is easily one of the best in the infosec industry. Where will it be held this year? Why not Punxsutawney?

OWASP's AppSec conference is easily one of the best in the infosec industry. Where will it be held this year? Why not Punxsutawney?

Some years ago, Chris Hoff asked why the OWASP Top 10 doesn't change. Yes, Appsec feels like Groundhog Day, but it's not because the people at OWASP are sitting on their hands. The OWASP Top 10 catalogs the top Web vulnerabilities that all applications face, and it's reviewed and updated on a regular basis. But Hoff is right: It mostly does not change.

To refresh your memory, here is the OWASP Top 10 for 2010:

    1. Injection (e.g. SQL Injection)
    2. Cross-Site Scripting
    3. Broken Authentication and Session Management
    4. Insecure Direct Object Reference
    5. Cross-Site Request Forgery
    6. Security Misconfiguration
    7. Insecure Cryptographic Storage
    8. Failure to Restrict URL Access
    9. Insufficient Transport Layer Protection
    10. Unvalidated Redirects and Forwards
After pondering this, I think I have come on a reason why, fundamentally, it does not change. The top two issues, injection (like SQL Injection) and XSS, both have to do with defensive programming. Developers are simply not trained and, consequently, do not know how to avoid these errors. There are fixes available, but they often go unimplemented.

But those are two of the top 10. What about the other eight? Here it's clear that poor identity and access management patterns and practice are a leading factor.

Broken Authentication, Session Management, and Insufficient Transport Layer Protection have been in the OWASP Top 10 for the past decade: They are all examples of authentication vulnerabilities.

Likewise, Insecure Direct Object Reference, Cross-Site Request Forgery, and Failure to Restrict URL Access -- all authorization vulnerabilities -- have spent the past decade in the OWASP Top 10. The 2010 edition of the Top 10 added another authorization vulnerability, Unvalidated Redirects and Forwards.

Where does this leave us? The majority of issues (six of 10) in the OWASP Top 10 are a direct result of identity and access management failures. If you want to escape AppSec Groundhog Day, then you have to change your focus. Addressing IAM architecture, strengthening authentication, and ensuring authorization coverage are not compliance issues or just architecture issues. They are core security concerns that need need your attention.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio