Citizens First Cyber Security Professionals cfcspro.com

Login

Username

Password



Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.

Connect via Facebook

Connect via Facebook

Member Poll

There are no polls defined.

Shoutbox

You must login to post a message.

02-12-2017 12:08
Yo' Citizens, How you doing today. Todays Lesson plans & post will consist of, How to give spammers a taste of their own medicine! Cool

20-10-2017 11:38
Yo' Citizens, As per your request. A new forum section, 'Suspicious IP Addresses' will be completed today! Cool

20-10-2017 11:30
Yo' Good Morning Citizens. I hope that you are all having a great and cyber-secure day! Grin

09-10-2017 11:10
Yo' Good Morning Citizens! Wink I hope that you had a cyber-secure weekend! Grin

03-10-2017 10:44
Yo' Citizens, good morning. I have some pretty serious vulnerabilities to share with you, today. I will have them up shortly! Cool

Welcome Citizens

Welcome to, Citizens First Cyber Security Professionals.

The Individual Citizen Specific, Cyber Security Investigative Services Firm. Cyber Security Web Forum and Educational Cyber Security Dojo.

Geared strictly to helping Individual Citizens and Small Businesses! Address unwanted cyber security intrusions and hacking incidents!

View Thread

 Print Thread
New OWASP Top 10 List Includes Three New Web Vulns - Via - DarkReading
Brooklyn
Yo' Greetings Citizens,

New OWASP Top 10 List Includes Three New Web Vulns - Via - DarkReading

But dropping cross-site request forgeries from list is a mistake, some analysts say.

After months of review, the Open Web Application Security Project has finally formally updated its widely used, if somewhat disputed, ranking of top Web application security vulnerabilities.


OWASP's Top 10 list for 2017 replaces three vulnerability categories from the previous list with new ones and shuffles a couple of others around in moves that not everybody agrees with.

As with previous years, injection vulnerabilities such as SQL and LDAP injection topped the list of OWASP's concerns for 2017, followed by incorrectly implemented authentication and session management functions. Cross-site scripting errors, which ranked third in OWASP's 2013 list, dropped to the seventh spot in this year's ranking, while cross-site request forgeries (CSRF) dropped out altogether.

Making its appearance for the first time in OWASP's top 10 list is a category dubbed XML external entities (XXE), pertaining to older and poorly configured XML processors. Data gathered from source code analysis testing tools supported inclusion of XXE as a new vulnerability in the top 10 list, according to OWASP.

The two other new additions to the list are insecure deserialization errors, which enable remote code execution on affected platforms, and insufficient logging and monitoring. Both of these new vulnerability categories were added to the list based on feedback from community members who contribute to the OWASP effort.

Making way for these new categories were insecure direct object references and missing function level access control errors, which along with CSRF, dropped out of the OWASP's top 10 ranking.

The list was compiled using community feedback, from data collected from dozens of organizations that specialized in application security and from a survey of more than 500 individuals. Data in the report was distilled from vulnerability information gathered from more than 100,000 applications and APIs used by hundreds of organizations.

Like OWASP's previous vulnerability rankings, the new one — the first major revision to the list in four years — should end up being a vital asset for organizations looking for high-level guidance on prioritizing Web application vulnerabilities. But not everyone is convinced that the updated list necessarily includes the top Web application security concerns.

Jeremiah Grossman, chief of security strategy at SentinelOne, says one problem is that the list focuses less on legacy application concerns and more on what developers of modern applications should be paying attention to. It's a bit surprising, for instance, that CSRF has been removed from the list, considering how common the vulnerability is in existing legacy environments. In contrast, XXE, one of the flaws on the list, is not very common but is of high severity.

"The change speaks partially to bias in the data and a split between what legacy applications and modern applications tend to be vulnerable to," Grossman says. While modern application frameworks tend to have native protections against CSRF, legacy applications do not.

"It's important to remember that the OWASP top 10 is not an accounting for all the vulnerabilities that might cause an organization to get hacked, but more a list of the most common and risky issues that should be considered. In that way, the list is a great community resource."

Others, such as infosec consultant Josh Grossman has also expressed some skepticism in the past over the influence some security vendors have had in shaping the OWASP list. He has called out how a single vendor with a potentially vested interest has influenced two of the newly listed vulnerability categories in the OWASP list...++...


Please Read The Full Story here: https://www.darkr...id/1330479

Thank You For Your Time, Citizens. I hope that you have a great and cyber-secure day!

Thank You Citizen,
The Administration
 
http://cfcspro.com
SinisterGenius
Do they think that CSRF attacks aren't worth the risk??
 
Jump to Forum:
top image scrolling tools
facebook_share
twitter_share
google_share
linkedin_share
blogger_share
delicious_share
scrolltop
Render time: 0.16 seconds
256,197 unique visits