These terms are threat events to web applications undertaken using automated actions. The aim was to create a listing of vendor-neutral and technology agnostic terms that describe real-world automated threats to web applications, at a level of abstraction that application owners can relate to. They are licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. LicensingĪll the materials are free to use. Not sure which is which? Use the threat identification chart in conjunction with the full handbook. The list of threat events, defined more fully in the OWASP Automated Threat Handbook, is alphabetically: The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components. Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues. Furthermore, they are not enumerated or defined adequately in existing dictionaries. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Frequently these have sector-specific names. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Web applications are subjected to unwanted automated usage – day in, day out. Like all OWASP outputs, everything is free and published using an open source license. The project also identifies symptoms, mitigations and controls in this problem area. The initial objective was to produce an ontology providing a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear communication and help tackle the issues. The OWASP Automated Threats to Web Applications Project has completed a review of reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify, name and classify these scenarios – automated by software causing a divergence from accepted behavior producing one or more undesirable effects on a web application, but excluding tool-based exploitation of single-issue vulnerabilities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |