|
|
|
|
|
|
by tptacek
1710 days ago
|
|
|
Yeah, this is neat looking, but there is nothing resembling the rigor or even simple empiricism baked into the OWASP Top 10 to enable this kind of visualization. The Top 10 is ultimately a marketing mechanism for web software security. That's not a bad thing! Web software security can use all the marketing help it can get. But, regardless of what anyone at OWASP says about this, I don't think there's much validity either to the way it buckets vulnerabilities into these categories, or the way it "prioritizes" them. Earlier, regarding this year's Top 10: https://news.ycombinator.com/item?id=28470955 |
|
|
I remember pwning php-nuke sites with SQL injection more than a decade ago. At least as far as that dumpster fire (php nuke) goes there are 2021-dated CVEs for SQL injection so clearly at least some people aren't making headway.
I wonder if anyone publishes a broad survey of CVE categories akin to tfa.