Zero percent direct object references? Three possibilities:
* IBM doesn't know what an insecure direct object reference is.
* I don't know what an insecure direct object reference is.
* IBM's scanning tool is routinely missing an extremely common sev:hi bug class.
The OWASP Top 10 is stupid. For some reason, every attempt at creating a taxonomy of security flaws of any sort fails, and OWASP's is a textbook example. But at least 8 out of the 10 flaws OWASP randomly selects are still common and meaningful.
My guess would the third of your options, it feels like a scanning tool artifact.
However, my point was that even given the age of the OWASP Top 10 and its incredible brand recognition among developers globally, the IBM bulk application scans are still finding (At least some of) these issues.
Interesting point about taxonomies of security flaws, similarly taxonomies of security attacks are also hard (Wicked maybe). This may be due to the difficulty of fully defining the world of unexpected or unwanted application behaviour. There is something complex about the space of possible attacks (or flaws) that resists classification at anything other than at such a level of foundational definition to be practically useless in the real world.
tptacek|11 years ago
* IBM doesn't know what an insecure direct object reference is.
* I don't know what an insecure direct object reference is.
* IBM's scanning tool is routinely missing an extremely common sev:hi bug class.
The OWASP Top 10 is stupid. For some reason, every attempt at creating a taxonomy of security flaws of any sort fails, and OWASP's is a textbook example. But at least 8 out of the 10 flaws OWASP randomly selects are still common and meaningful.
oracuk|11 years ago
However, my point was that even given the age of the OWASP Top 10 and its incredible brand recognition among developers globally, the IBM bulk application scans are still finding (At least some of) these issues.
Interesting point about taxonomies of security flaws, similarly taxonomies of security attacks are also hard (Wicked maybe). This may be due to the difficulty of fully defining the world of unexpected or unwanted application behaviour. There is something complex about the space of possible attacks (or flaws) that resists classification at anything other than at such a level of foundational definition to be practically useless in the real world.
danielweber|11 years ago
I have lived this pain and (nearly?) come to tears over it. Literally, you have my thesis title there. Oh man.