[HN Gopher] OWASP Needs to Evolve
___________________________________________________________________
OWASP Needs to Evolve
Author : bretpiatt
Score : 169 points
Date : 2023-02-18 09:03 UTC (13 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| chrismorgan wrote:
| I have a very poor opinion of OWASP _content_ , because the
| couple of areas I've paid any attention to have never been any
| better than mediocre, clearly written by amateurs long ago and
| largely unmaintained ever since, with _known_ errors and heavily
| misleading statements hanging around for over a decade on no or
| unsound justification, among many other problems obvious to any
| that actually know the field. (See
| https://hn.algolia.com/?query=chrismorgan%20owasp&type=comme...
| for a few comments with somewhat more detail, but things have
| historically been just _so_ bad and so _obviously_ bad that I
| haven't bothered enumerating more than the issue that has annoyed
| me the most.)
|
| (Sigh. I see that as part of fixing a lot of the obvious
| unsuitability of
| https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Sc...
| some time in the past two years--and it _is_ much better now,
| though there are still a few dodgy things about it in both
| content and presentation--they _reintroduced_ the erroneous
| advice to entity-encode /, which was only _finally_ removed two
| years ago. Feel free to try to get that fixed, anyone; for my
| part, I have no interest in trying to work with OWASP.)
| breadchris wrote:
| wow, I have not seen much of the errors that you have come
| across! That is good to know about.
|
| In regards to freely available information about security, are
| there other resources you can recommend? Something that I find
| myself constantly being asked is "how should I protect my code"
| from engineers. I really fail to find much better freely
| accessible content in one place than the content available on
| OWASP.
|
| Not that this would help the quality of the content, but maybe
| ML can help here? I know a lot of very skilled security people
| who post on various places around the Internet and an ML search
| engine to help you find relevant security material might be
| helpful?
|
| At the company I work for, we are building an ML chat bot that
| would allow you to ask questions about security vulnerabilities
| and get linked to the relevant material to help you make your
| own determination about relevancy.
| couchand wrote:
| This is exactly the subject matter that using a chat bot is
| incredibly dangerous for. The difference between "looks good
| but fundamentally broken" and "logically sound" in security
| arguments is very small. The consumer of the content is
| likely to have little to no developed taste on the matter (or
| they would seek out more specific resources).
|
| If you have some authoritative curation of the resources it
| may have promise, but the question becomes, why not have the
| product of the curation be directly consumable, rather than
| feed it through an opaque layer?
|
| Inventing problems here, people. It was a nice society while
| it lasted.
| quicklime wrote:
| To me, the value of an ML tool would be in the step after
| we run things through static analysis (e.g. linters for bad
| coding practices, SCA scans for known CVEs) and before we
| send this off to our security team for an internal audit
| and pen test. It would be a tool that we add to our
| existing tool set, so that we can catch issues earlier,
| rather than something to replace our pen testers.
|
| Even if you do have some authoritative curation of
| resources, it's difficult for dev teams to consume it. And
| even for those who do understand security, it requires a
| lot of tedious work to check through. I wish it weren't the
| case, but the reality is that most teams don't have the
| specialist skills or the motivation to grind away at this
| for a significant chunk of their time.
| tptacek wrote:
| I agree with you, and further would say that this has been the
| case with OWASP for at least a decade.
|
| My take about OWASP on HN has generally been: they're effective
| at producing communication tools that raise the salience of
| application security, especially within large companies. And
| that's about it.
|
| https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
| taeric wrote:
| I think that is how I view them. In particular, I am always
| surprised when people don't know of them, but I also don't
| advocate for them too heavily.
|
| Do you have any similar group that you do recommend?
| tptacek wrote:
| It's not at all the same thing but I try to keep up with
| whatever PortSwigger is writing on their site, and it's
| usually pretty high-value.
| colbyx wrote:
| Agreed, that matches my experience too, it's the clueless
| leading the clueless. I actively steer people away from OWASP
| regarding training and reference materials.
| DyslexicAtheist wrote:
| where are you steering them to?
| programmarchy wrote:
| What's the best alternative?
| dwheeler wrote:
| This doesn't exactly answer your question, but if you want
| a basic course for software developers in how to develop
| secure software, check out this free course from the
| OpenSSF: https://openssf.org/training/courses/
|
| Full disclosure: I'm the primary author.
| zenexer wrote:
| They didn't reintroduce the error; it was never completely
| fixed. I created an issue for it.
| https://github.com/OWASP/CheatSheetSeries/issues/1089
| markl42 wrote:
| I'm not familiar with the work that OWASP does, other than the
| cheat sheet series.
|
| The cheat sheet series is amazing - a great resource to defer to
| when you don't know or want to think about how to do <x>, you
| just want to look up and implement the industry standard.
|
| It's a great reference, and I use it lot. <3 to the folks working
| on that :)
| chrismorgan wrote:
| The main cheat sheet I've looked closely at is the XSS one, and
| it's never been better than mediocre, with (for over a decade,
| despite it being known about; only recently has it been redone
| to be tolerable, though still not _excellent_ ) awful framing,
| grossly misleading structure (seriously, almost every citations
| I've seen of it has _misapplied_ it because of this),
| irrelevant and excessive content in some areas and critical
| missing content in other areas.
|
| Therefore my recommendation is: use it for general awareness,
| _perhaps,_ but do not trust it. Because there probably _isn't_
| anyone really working on it--you're probably actually looking
| at something that was written well over 10 years ago by an
| amateur, and has received almost no maintenance since then.
| CaliforniaKarl wrote:
| Can you recommend a good substitute for the Cheatsheets?
| sdiq wrote:
| owasp-change.github.io
| Sytten wrote:
| One of the reason we started to work on my own startup was to
| provide a credible alternative to Burpsuite as Zap was not
| evolving in that direction. If we had funding in the amount this
| letter wants per year it would easy to build it open source and
| free, but where do they think this money will come from? This is
| not like the Linux foundation which produces something businesses
| can use to produce massive amount of money on top. This is
| competing with commercial products in the space and potentially
| reducing their revenue.
| ethereal-haze wrote:
| You'd think with all those name, they could come up with a better
| standard or something
| secondcoming wrote:
| OWASP
|
| > The Open Worldwide Application Security Project(r) (OWASP) is a
| nonprofit foundation that works to improve the security of
| software.
| airza wrote:
| Last time i heard from owasp was when they wanted me to do unpaid
| review for papers being accepted to a paid conference..
| aaron695 wrote:
| [dead]
| quelltext wrote:
| So, like any other instance of this (in academia).
| tptacek wrote:
| I was going to say: that describes Usenix, too.
| wccrawford wrote:
| I understand the visceral reaction there, but OWASP is a
| nonprofit foundation, and conferences cost money to host. They
| were attempting to make the conference as cheap as possible by
| getting volunteers instead of paying people for whatever work
| they could, I'm sure.
|
| If this was a for-profit company, I'd completely agree with
| you, but it's not.
| eastbound wrote:
| In other words, they're asking for funding and a clear plan per
| project. OWASP does the Maven dependency scanner, which relies on
| the NIST db.
|
| As a small software vendor, buying other security scanning
| solutions is very expensive, and they still aren't as accurate as
| a pentester investigating our code.
|
| Would it be a good idea if OWASP had a paid service where
| companies would pay for the verification of OSS libraries (hi
| NPM!)? and that would innocent you in front of EU's diligence
| requirements?
| Mountain_Skies wrote:
| Reading between the lines, sounds like they want control handed
| over to large corporations with everything controlled by a CoC,
| enforced by representatives of those corporations, directly or
| covertly.
| ath0 wrote:
| Counterpoint from Josh Sokol, former OWASP board member:
| https://www.linkedin.com/feed/update/urn:li:activity:7031305...
|
| The OWASP nonprofit isn't like the well-funded Linux Foundation;
| it runs on a shoestring budget made worse by the loss of
| conference revenue during the pandemic. OWASP charters events,
| local meetups, training content and OSS projects - the authors of
| this memo focus only on the OSS project needs. The OWASP board
| sees itself as community first and foremost; projects should seek
| their own sponsorships.
| electroly wrote:
| If OWASP wants to focus on chapters and events, why do they
| have projects under their umbrella at all? We had a similar
| problem in the .NET ecosystem with the .NET Foundation. It
| turned out they don't really do that much for the projects they
| oversee after all, so what's the point? Why be part of an
| organization that isn't providing the support you need?
|
| Perhaps, indeed, they should not be. Given this response, it
| sounds to me like the projects _should_ leave. What they need
| is simply different than what OWASP wants or is financially
| able to provide. The projects have outgrown the organization,
| and the organization doesn 't see itself as being primarily
| about the projects. Sounds, to me, like it's time to make a
| clean break that unburdens OWASP and frees the projects.
| throwaway2847 wrote:
| The projects should leave. I don't think they are a critical
| component of OWASP compared to the educational material
| provided through their documentation and conferences.
| tptacek wrote:
| Two of the major projects in the list of cosigners on this
| are the OWASP Top 10 project and ASVS, which are the two
| big educational projects at OWASP.
|
| I don't especially love either of those projects, but
| they're arguably the two most important things OWASP works
| on outside of the conferences. The Top 10 project can't
| really leave OWASP (ASVS could).
|
| ZAP is the only other project there that I think is all
| that important to the identity of OWASP itself, but it
| should just go find its own sponsorship anyways. People
| like ZAP, but the industry standard is Burp Suite; Burp is
| Microsoft Office to ZAP's... LibreOffice? Like all the
| software freedom stuff aside, if you're a professional, you
| use Word.
| ghaff wrote:
| Even OWASP Top 10 often seems to be most interesting in
| the vein of "That thing that was a problem 10 years ago?
| Yep still a problem." That's a bit unfair. Stuff does
| move around a bit over time and some new categories come
| in. But it often mostly seems to document how relatively
| little things change.
| Tijdreiziger wrote:
| Well, there are a lot of legacy applications out there.
| tptacek wrote:
| I don't think the OWASP Top 10 is especially good, and in
| general think it mostly serves as a tool to raise the
| salience of application security, rather than as a guide
| to implementing it. It almost doesn't matter what the Top
| 10 is.
| ghaff wrote:
| Back when I was attending DevOps Days fairly regularly
| that's pretty consistent with how I saw the OWASP Top 10
| being used--to highlight security in general as opposed
| to any specific categories.
| hn_throwaway_99 wrote:
| Josh Sokol would appear to agree. A response on his
| LinkedIn post:
|
| > Honestly, if they can get $5-10M from "somewhere else", I
| say go for it. Then maybe the Foundation resources can be
| hyper focused on catering to Chapters and Events.
| [deleted]
| weinzierl wrote:
| > _Today, many projects operate independently, in some cases
| managing their own sponsorships, finance, websites, domains,
| communication platforms, and developer tools._ "
|
| This is quite noticeably when you look at the difference between
| Dependency-Track and DefectDojo. Both are OWASP projects, but one
| seems to be modern up-to-date software the other looks like
| straight from the early 2000s.
| robertlagrant wrote:
| ThreatDragon[0] is also looking nice.
|
| [0] https://www.threatdragon.com
| throwboatyface wrote:
| In my experience if the authors get their wish then both will
| look 20-years-old.
| Ekaros wrote:
| So where do they expect to get the 3-8 million in extra funding
| just for their projects? From the current whole budget of OWASP
| of 2 million...
| DyslexicAtheist wrote:
| any security standards today and legislations such as radio
| equipment directive (RED) for IoT piggy-backs on the work done
| by OWASP. maybe it's time for these standards bodies, ETSI,
| ISO, UL, IoXT, ... to give back and help with some of the
| funding.
| tptacek wrote:
| They're explicitly asking for corporate membership on the OWASP
| board, to attract more sponsorship dollars.
| KrugerDunnings wrote:
| Look at this thiefdom of tools, ZAP is the only cool thing on
| this list, all the other things are bean counting apps.
| unixhero wrote:
| Bean counters get funding to improve cyber security and hire
| the techies. Respect the Excel jockies mate.
| KrugerDunnings wrote:
| Only if they use Excel instead of these tools buddy
___________________________________________________________________
(page generated 2023-02-18 23:01 UTC)