[Owasp-topten] RC feedback - Missing "Lack of anti-automation"
dave.wichers at owasp.org
Thu Apr 13 20:46:49 UTC 2017
This absolutely does need to be part of A7 and it was intended that it be.
There was a concern that people might think that "lack of anti-automation"
was the focus of A7, so we dialed some verbiage back, but apparently we
dialed it completely to zero?? We do say both automated and manual attacks
on that page, but clearly we need to do more.
Lack of anti-automation was removed from the "additional risks to consider
list" because we intended it to be directly covered by A7, so that change
wasn't an accident :-)
Colin - help us figure out how to weave this in with the limited space that
we have on that one page.
On Thu, Apr 13, 2017 at 2:59 PM, Colin Watson <colin.watson at owasp.org>
> Thank you to everyone in the Top Ten project for all the effort in
> creating this RC.
> Last year when the data call was announced, we had some discussion on the
> Leaders' List about "lack of anti-automation":
> As pointed out to me in that discussion, "lack of anti-automation" was
> included in the the 2013 Top 10 "Additional Risks to Consider":
> This item has been dropped from the 2017 RC1 completely - it is not in the
> top 10 or in the additional risks. And none of the other 2013 risks include
> these types of attack.
> I wonder if it is somehow meant to be included in A7 - the Automated
> Threats Project is mentioned as a reference for A7. However, I feel this
> may be incorrect since none of the threats in the scope of the Automated
> Threats project appear to be mentioned in the description, explanation or
> example attack scenarios for A7 in 2017 RC1. A7 seems to relate to
> exploitation of vulnerabilities.
> Our project's unwanted automated usage are not about exploitation of
> vulnerabilities, but instead often relate to misuse of inherent valid
> functionality. To that end I feel it odd that such automated threats appear
> neither in the 2017 RC1 Top 10, nor in the “additional risks to consider”.
> Whilst breach reporting does not provide comprehensive or representative
> coverage of attacks, the following recent major incidents indicate the
> types of issue:
> Tesco Bank account enumeration (40,000 accounts)
> Credential stuffing attacks on other sites following LinkedIn and Yahoo
> Some developers and testers ignore or do not think about such threats, and
> therefore there is under reporting of these issues in many organisation’s
> pen test reports and issue logging, yet lead to significant ongoing pain to
> application owners/operators. I have never found any web application that
> isn't at risk from some automated threat (we have listed 20 types of
> threats, soon to be 21). The ease of exploitation is typically EASY
> (because the functionality is inherently built into the web application).
> Since automated threats can be a risk for many different types of
> functionality, my belief is the prevalence is just as common as XSS, so
> prevalence is WIDESPREAD and detectability is EASY. If exploited the impact
> is typically MODERATE, often affecting the application’s owner, and users
> and other parties.
> Regarding protections, in our project's Automated Threat Handbook we
> document 14 classes of countermeasures for automated threats – only a
> couple of which might be provided by something such as a WAF. Most
> countermeasure classes are actually much more relevant to development
> processes. Most do not appear in the "how do I prevent this" for A7, or any
> other risk, in 2017 RC1.
> Colin Watson
> Project co-leader
> OWASP Automated Threats to Web Applications Project
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten