Perimeter
11/30/2012
05:09 PM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

IAM: The Reason Why OWASP Top 10 Doesn't Change

OWASP's AppSec conference is easily one of the best in the infosec industry. Where will it be held this year? Why not Punxsutawney?

OWASP's AppSec conference is easily one of the best in the infosec industry. Where will it be held this year? Why not Punxsutawney?

Some years ago, Chris Hoff asked why the OWASP Top 10 doesn't change. Yes, Appsec feels like Groundhog Day, but it's not because the people at OWASP are sitting on their hands. The OWASP Top 10 catalogs the top Web vulnerabilities that all applications face, and it's reviewed and updated on a regular basis. But Hoff is right: It mostly does not change.

To refresh your memory, here is the OWASP Top 10 for 2010:

    1. Injection (e.g. SQL Injection)
    2. Cross-Site Scripting
    3. Broken Authentication and Session Management
    4. Insecure Direct Object Reference
    5. Cross-Site Request Forgery
    6. Security Misconfiguration
    7. Insecure Cryptographic Storage
    8. Failure to Restrict URL Access
    9. Insufficient Transport Layer Protection
    10. Unvalidated Redirects and Forwards
After pondering this, I think I have come on a reason why, fundamentally, it does not change. The top two issues, injection (like SQL Injection) and XSS, both have to do with defensive programming. Developers are simply not trained and, consequently, do not know how to avoid these errors. There are fixes available, but they often go unimplemented.

But those are two of the top 10. What about the other eight? Here it's clear that poor identity and access management patterns and practice are a leading factor.

Broken Authentication, Session Management, and Insufficient Transport Layer Protection have been in the OWASP Top 10 for the past decade: They are all examples of authentication vulnerabilities.

Likewise, Insecure Direct Object Reference, Cross-Site Request Forgery, and Failure to Restrict URL Access -- all authorization vulnerabilities -- have spent the past decade in the OWASP Top 10. The 2010 edition of the Top 10 added another authorization vulnerability, Unvalidated Redirects and Forwards.

Where does this leave us? The majority of issues (six of 10) in the OWASP Top 10 are a direct result of identity and access management failures. If you want to escape AppSec Groundhog Day, then you have to change your focus. Addressing IAM architecture, strengthening authentication, and ensuring authorization coverage are not compliance issues or just architecture issues. They are core security concerns that need need your attention.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web