Commit eb13b74b authored by Joonatan Ovaska's avatar Joonatan Ovaska
Browse files

Add new file

parent 3dc7fe39
# Bonus Assignment
These assignments are bonus assignments. When you get a minimum or above score from normal assignments for a pass, you can raise your grade with bonus assignments.
## [Reflection] OWASP Top 10:2017 risks (1 point)
Check the OWASP Top10:2017 risk items.
Write down which of the items you are at least somewhat familiar of and which are completely new to you.
## Real bugs (3 points)
Explore the Real-World Bug Hunting book or any publicly disclosed vulnerabilities. Select most interesting bugs and try to map them to under closest OWASP Top 10 risk (2017 or 2021) (3 points; 0.5 points per unique OWASP Top10 risk with one or more linked/referenced bug (6 risks max))
## [Reading report] OWASP Top10 vs CWE Top25 (5 points)
We might have heard already that `Risk = Likelihood * Impact`. But how do risks, weaknesses and vulnerabilities relate to each other? Let's compare OWASP Top10 to CWE Top25 to learn more.
OWASP Top10 is a list of common web application security **risks**, while Mitre's Common Weakness Enumeration talks about **weaknesses** in all software and hardware. OWASP Top10 is an awareness project, while the CWE category system goes well beyond a Top25 list
Read the following pages to have an introduction to Common Weakness Enumeration list:
* https://cwe.mitre.org/about/index.html
* https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
Read the following article:
* https://www.synopsys.com/blogs/software-security/mitre-2020-cwe-top-25-most-dangerous-software-weaknesses/
* Take note how the terms "weakness" and "vulnerability" are not the same, but are used almost interchangeably.
Read the following parts of OWASP Top10 publication:
* https://owasp.org/www-project-top-ten/2017/Introduction.html
* https://owasp.org/www-project-top-ten/2017/Application_Security_Risks.html
Now, answer the following questions:
* [Reading report] Discuss how the terms vulnerability, weakness and risk are related to each other in the context of web application security (2 pts)
* If you have open questions regarding these terms (e.g. you've encountered conflicting definitions), please include those in your discussion
* [Reading report] How do OWASP Top10 and CWE Top25 contents and their ranking differ from each other? Answer at least (2 pts):
* For both lists, **using the definitions of the lists**, explain how a current bottom item would get to the top of that list (both lists separately)
* For both lists, **using the definitions of the lists**, explain why an item is not included in current top items (both lists separately)
## [Reflection] Common Weakness Enumeration (1 point)
* Check various ways you can approach viewing CWE items and list 4 things or insights you did not know before about Common Weakness Enumeration listing in general or about some of its items (0.25 pts per item)
* https://cwe.mitre.org/data/index.html
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment