Perimeter
11/30/2012
05:09 PM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

IAM: The Reason Why OWASP Top 10 Doesn't Change

OWASP's AppSec conference is easily one of the best in the infosec industry. Where will it be held this year? Why not Punxsutawney?

OWASP's AppSec conference is easily one of the best in the infosec industry. Where will it be held this year? Why not Punxsutawney?

Some years ago, Chris Hoff asked why the OWASP Top 10 doesn't change. Yes, Appsec feels like Groundhog Day, but it's not because the people at OWASP are sitting on their hands. The OWASP Top 10 catalogs the top Web vulnerabilities that all applications face, and it's reviewed and updated on a regular basis. But Hoff is right: It mostly does not change.

To refresh your memory, here is the OWASP Top 10 for 2010:

    1. Injection (e.g. SQL Injection)
    2. Cross-Site Scripting
    3. Broken Authentication and Session Management
    4. Insecure Direct Object Reference
    5. Cross-Site Request Forgery
    6. Security Misconfiguration
    7. Insecure Cryptographic Storage
    8. Failure to Restrict URL Access
    9. Insufficient Transport Layer Protection
    10. Unvalidated Redirects and Forwards
After pondering this, I think I have come on a reason why, fundamentally, it does not change. The top two issues, injection (like SQL Injection) and XSS, both have to do with defensive programming. Developers are simply not trained and, consequently, do not know how to avoid these errors. There are fixes available, but they often go unimplemented.

But those are two of the top 10. What about the other eight? Here it's clear that poor identity and access management patterns and practice are a leading factor.

Broken Authentication, Session Management, and Insufficient Transport Layer Protection have been in the OWASP Top 10 for the past decade: They are all examples of authentication vulnerabilities.

Likewise, Insecure Direct Object Reference, Cross-Site Request Forgery, and Failure to Restrict URL Access -- all authorization vulnerabilities -- have spent the past decade in the OWASP Top 10. The 2010 edition of the Top 10 added another authorization vulnerability, Unvalidated Redirects and Forwards.

Where does this leave us? The majority of issues (six of 10) in the OWASP Top 10 are a direct result of identity and access management failures. If you want to escape AppSec Groundhog Day, then you have to change your focus. Addressing IAM architecture, strengthening authentication, and ensuring authorization coverage are not compliance issues or just architecture issues. They are core security concerns that need need your attention.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

Best of the Web
Dark Reading Radio