First of all am sorry to all my readers/ subscribers that I haven’t been active on my blog. I know its been an year now, and the reason was silly enough – I couldn’t get hold of a good blogging client for Mac OS. But now, thanks to Blogo – I am back in business. On my windows box, Live Writer was to my rescue, but since I shifted to Mac, I couldn’t find any. Too lazy to use online web editor. blah blah … whatever.
Okay, so what do I mean by "OWASP is cheat sheet and not Bible". To understand it, let me give you a background on where does this statement came from.
Its been a decade since I’m dealing with web applications, and we all agree they have been growing exponentially – in number as well as complexity. We have walked a long way from static HTML pages and WYSIWYG editors, to web sockets and frameworks. Back in December 1st, 2001, Open Web Application Security Project was founded (OWASP Foundation). Following its’ endowment, another term made it to headlines in 2004 – OWASP Top 10 (in short, OT10). Now, since 10 years to its existence and kudos to the community, it has evolved with the web coherently at all levels. The idea behind OT10 is to document "a list of the 10 most critical web application security risks". Did you get it? It means – It talks about most important, and not all the web application security risks. Remember, they are top 10, and not only 10.
Now honestly, how many of you know lists beyond OWASP Top 10? Do you know any other list of attack vectors, or vulnerabilities or references? Perhaps no. Don’t you wonder, if the applications running on world-wide-web or wicked witch of the west (WWW) have other issues as well?
The unfavourable part is we are so focussed on these 10, that we often miss the bigger picture. The enterprise, the consultants, the client and the vendors; all have their minds wrapper around the OWASP Top 10. Unfortunately, we are mentoring and promoting a work force of pen-testers so focussed on OT10, that if we ask them something beyond OWASP context, their expressions get pwned. To me, it’s not the right encouragement. As a pen-tester the first and foremost rule is – break the rules and find your way in. Then why do we behold the OWASP as the only rulebook in our hands, and think we have everything in our artillery? Why don’t we go beyond and above it.
OWASP, by all means is damn awesome to encourage, to kick-start your marvels but not to stick and forget your contribution. It’s onto us to populate it and find new vectors. You my friend are the analyst, the consultant, the pen-tester – go out of the box, break the rules (not the contract) and find something new. Always remember that every assessment is different – take new approach, new environment and refer OWASP; but don’t limit yourself. You never know you may find some vulnerability that could have affected the client more than what’s documented in OWASP Top 10.
Enough said, here is a list of things you should consider –
- OWASP Periodic Table of Vulnerabilities
- OWASP Attack Categories
- CAPEC 1000 Mechanisms of Attack (expand all)
- CAPEC Domains of Attack
- WASC Threat Classification
Next time when you deliver a report, do observe the vectors beyond OT10. Many of us may find grey areas but understand, they are different, and have different impacts (example – not all injections are lethal or critical, so don’t club them or take default ratings). Also, spend sometime to think what new can we deliver, that others can’t.
- OWASP – Open Web Application Security Project (www.owasp.org)
- CAPEC – Common Attack Pattern Enumeration and Classification (www.capec.mitre.org)
- WASC – Web Application Security Consortium (projects.webappsec.org)
If we, holding the security batons will not take the holistic approach, who else will? Think about it.
PS: Do comment if you know something beyond OWASP categories. And, to some of my known fellas – please pronounce it OWASP and OWAPS ;)