[Owasp-leaders] New OWASP Top 20 ?

Colin Watson colin.watson at owasp.org
Thu Jun 23 13:06:23 UTC 2016


Thank you very much for highlighting this.

OWASP does not endorse or recommend any products or services. The
name/title of "OWASP Top 20" is incorrect since the threats are neither
finite in number nor an ordered list.




The project name is simply "OWASP Automated Threats to Web Applications".
The twenty automated threats so far documented in the "Automated Threat
Handbook" could well grow in number, and the ordering is
application/business specific, primarily due to the type and value of data,
and therefore the relevant threat actors. The aim of the project was to
create a listing of vendor-neutral and technology agnostic terms that
describe real-world automated threats to web applications, at a level of
abstraction that application owners can relate to. These terms are threat
events to web applications undertaken using automated actions.

The actual vendor paper linked to is actually called "Mitigating OWASP
Automated Threats" which is not the headline in the email marketing
forwarded to this list.

Despite the mis-naming, I believe it is somewhat encouraging the automated
threat terms defined by our project are being used in industry. It is one
of the project's use cases (from the wiki):
Characterising vendor services

Better Best Ltd has developed an innovative technology to help gaming
companies defend against a range of automated threats that can otherwise
permit cheating and distortion of the game, leading to disruption for
normal players. The solution can be deployed on premises, but is also
available in the cloud as a service. But Better Best is finding difficulty
explaining its solution in the market place, especially since it does not
fit into any conventional product category. Better Best decide to use the
terminology and threat events listed in the *OWASP Automated Threat
Handbook* to define their product's capabilities. They hope this will
provide some clarity about their offering, and also demonstrate how their
product can be used to replace more than one other conventional security
device. Additionally, Better Best writes a white paper describing how their
product has been successfully used by one of their reference customers
Hollybush Challenge Games to protect against *OAT-006 Expediting*, *OAT-005
Scalping*, *OAT-016 Skewing* and *OAT-013 Sniping*.

We encourage other vendors to use the names and codes. But please don't
call it the "OWASP Top 20".


Colin Watson
OWASP Automated Threats to Web Applications project leader


On 23 June 2016 at 04:30, Mario Robles OWASP <mario.robles at owasp.org> wrote:

> Interesting, actually what they are referring to is:
> https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf
> Don’t take me wrong, I see this as a positive thing for OWASP
> *From:* Imperva
> *Sent:* Wednesday, June 22, 2016 11:13 AM
> *To:* Mario Robles
> *Subject:* [IE] Protect web apps against the latest automated threats
> *New Paper: Mitigating OWASP Automated Threats*
> <http://mkto-ab130193.com/n/HW0030h0eJ9VnL40m5R00u3> | *View in Web
> Browser*
> <http://go.imperva.com/index.php/email/emailWebview?mkt_tok=eyJpIjoiWmpRMk5tWTJNV1F3WkRWaCIsInQiOiJTTjBGUnFLMnhBOTQ3UXZZV3dvUitwdUdCOHAxZktwRm5FcXl5TmU1VzdhRDUvR3UxaldjbVRiaUtCQXdNV0lzaGh3czlhc2haZWE5bFgvLzl1cVZMZUZOZlhpend6VitsTWo1SmgyV0g1ST0ifQ%3D%3D>
> [image: notch]
> [image: Imperva]
> Prevent automated attacks on your web apps
> How to Stop the New OWASP Top 20
>     *READ NOW*     <http://mkto-ab130193.com/n/HW0030h0eJ9VnL40m5R00u3>
> *Put the OWASP Handbook into Action*
> Cybercriminals increasingly use automation to attack web applications—from
> credential stuffing to account takeover, sniping to DDoS attacks, and more.
> Using the groundbreaking OWASP Automated Threat Handbook for Web
> Applications as a framework, this new white paper helps you go one step
> further to stop automated threats. You’ll learn:
>    - Why automated threats are so pervasive today
>    - Which automated threats target web applications
>    - How to effectively protect against the top 20 OWASP automated
>    threats
> Read this paper to see how real-world businesses put defenses in place to
> protect their business critical data and applications.
>     READ NOW     <http://mkto-ab130193.com/n/HW0030h0eJ9VnL40m5R00u3>
> [image: Mitigate OWASP Top 20 Handbook]
> <http://mkto-ab130193.com/n/HW0030h0eJ9VnL40m5R00u3>
> Copyright ©2016 Imperva. All rights reserved.
> 3400 Bridge Parkway. Redwood Shores, CA 94065 USA
> [image: Facebook] <http://mkto-ab130193.com/o03ve00an005JW04VLR3hm0>[image:
> Twitter] <http://mkto-ab130193.com/An0b04WR30e35Jh00m0w0VL>[image: Feed]
> <http://mkto-ab130193.com/lnRhc000m5VJ0L3340e0x0W>[image: LinkedIn]
> <http://mkto-ab130193.com/m000ed3040h35mJVRny0WL0>
> By using this site you consent to receive cookies. Cookie Policy
> <http://mkto-ab130193.com/ienW0eR5Jzm003000Vh3L04> | Privacy and Legal
> <http://mkto-ab130193.com/v04V0enA03mLWJf5R03h000>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160623/6e5487e9/attachment-0001.html>

More information about the OWASP-Leaders mailing list