[Owasp-leaders] New OWASP Top 20 ?

johanna curiel curiel johanna.curiel at owasp.org
Thu Jun 23 13:43:36 UTC 2016


When a project is being used by the industry to describe a problem and it's
used to explain an implementation of a solution, is an excellent signal
that the project is valuable. I don't read anywhere the project endorses
the vendor, on the contrary , the vendor uses the project to describe a
problem being research by an OWASP project.

I believe this project is classified as 'incubator', but is showing clear
signals of maturity to belong to at least LAB.

This is the kind of development I think the Owasp community wants to see
when valuable projects are produced.

This seems very positive developments for OWASP Automated Threats to Web
Applications' project.

Maybe contacting the vendor regarding the correct naming of the project for
a next time is better ;-).

On Thu, Jun 23, 2016 at 9:06 AM, Colin Watson <colin.watson at owasp.org>
wrote:

> Mario
>
> Thank you very much for highlighting this.
>
> OWASP does not endorse or recommend any products or services. The
> name/title of "OWASP Top 20" is incorrect since the threats are neither
> finite in number nor an ordered list.
>
>    PDF:
>    https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf
>
>    Print:
>
> http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22295560.html
>
> The project name is simply "OWASP Automated Threats to Web Applications".
> The twenty automated threats so far documented in the "Automated Threat
> Handbook" could well grow in number, and the ordering is
> application/business specific, primarily due to the type and value of data,
> and therefore the relevant threat actors. The aim of the project was to
> create a listing of vendor-neutral and technology agnostic terms that
> describe real-world automated threats to web applications, at a level of
> abstraction that application owners can relate to. These terms are threat
> events to web applications undertaken using automated actions.
>
> The actual vendor paper linked to is actually called "Mitigating OWASP
> Automated Threats" which is not the headline in the email marketing
> forwarded to this list.
>
> Despite the mis-naming, I believe it is somewhat encouraging the automated
> threat terms defined by our project are being used in industry. It is one
> of the project's use cases (from the wiki):
> Characterising vendor services
>
> Better Best Ltd has developed an innovative technology to help gaming
> companies defend against a range of automated threats that can otherwise
> permit cheating and distortion of the game, leading to disruption for
> normal players. The solution can be deployed on premises, but is also
> available in the cloud as a service. But Better Best is finding difficulty
> explaining its solution in the market place, especially since it does not
> fit into any conventional product category. Better Best decide to use the
> terminology and threat events listed in the *OWASP Automated Threat
> Handbook* to define their product's capabilities. They hope this will
> provide some clarity about their offering, and also demonstrate how their
> product can be used to replace more than one other conventional security
> device. Additionally, Better Best writes a white paper describing how their
> product has been successfully used by one of their reference customers
> Hollybush Challenge Games to protect against *OAT-006 Expediting*, *OAT-005
> Scalping*, *OAT-016 Skewing* and *OAT-013 Sniping*.
>
>
> We encourage other vendors to use the names and codes. But please don't
> call it the "OWASP Top 20".
>
> Regards
>
> Colin Watson
> OWASP Automated Threats to Web Applications project leader
>
> https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
>
>
>
>
>
>
>
>
>
> On 23 June 2016 at 04:30, Mario Robles OWASP <mario.robles at owasp.org>
> wrote:
>
>> Interesting, actually what they are referring to is:
>> https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf
>>
>> Don’t take me wrong, I see this as a positive thing for OWASP
>>
>>
>> *From:* Imperva
>> *Sent:* Wednesday, June 22, 2016 11:13 AM
>> *To:* Mario Robles
>> *Subject:* [IE] Protect web apps against the latest automated threats
>>
>> *New Paper: Mitigating OWASP Automated Threats*
>> <http://mkto-ab130193.com/n/HW0030h0eJ9VnL40m5R00u3> | *View in Web
>> Browser*
>> <http://go.imperva.com/index.php/email/emailWebview?mkt_tok=eyJpIjoiWmpRMk5tWTJNV1F3WkRWaCIsInQiOiJTTjBGUnFLMnhBOTQ3UXZZV3dvUitwdUdCOHAxZktwRm5FcXl5TmU1VzdhRDUvR3UxaldjbVRiaUtCQXdNV0lzaGh3czlhc2haZWE5bFgvLzl1cVZMZUZOZlhpend6VitsTWo1SmgyV0g1ST0ifQ%3D%3D>
>>
>>
>> [image: notch]
>> [image: Imperva]
>>
>>
>>
>> Prevent automated attacks on your web apps
>> How to Stop the New OWASP Top 20
>>
>>     *READ NOW*     <http://mkto-ab130193.com/n/HW0030h0eJ9VnL40m5R00u3>
>>
>>
>>
>>
>> *Put the OWASP Handbook into Action*
>>
>> Cybercriminals increasingly use automation to attack web
>> applications—from credential stuffing to account takeover, sniping to DDoS
>> attacks, and more. Using the groundbreaking OWASP Automated Threat Handbook
>> for Web Applications as a framework, this new white paper helps you go one
>> step further to stop automated threats. You’ll learn:
>>
>>    - Why automated threats are so pervasive today
>>    - Which automated threats target web applications
>>    - How to effectively protect against the top 20 OWASP automated
>>    threats
>>
>> Read this paper to see how real-world businesses put defenses in place to
>> protect their business critical data and applications.
>>
>>
>>     READ NOW     <http://mkto-ab130193.com/n/HW0030h0eJ9VnL40m5R00u3>
>>
>> [image: Mitigate OWASP Top 20 Handbook]
>> <http://mkto-ab130193.com/n/HW0030h0eJ9VnL40m5R00u3>
>>
>>
>>
>>
>>
>>
>>
>> Copyright ©2016 Imperva. All rights reserved.
>> 3400 Bridge Parkway. Redwood Shores, CA 94065 USA
>>
>> [image: Facebook] <http://mkto-ab130193.com/o03ve00an005JW04VLR3hm0>[image:
>> Twitter] <http://mkto-ab130193.com/An0b04WR30e35Jh00m0w0VL>[image: Feed]
>> <http://mkto-ab130193.com/lnRhc000m5VJ0L3340e0x0W>[image: LinkedIn]
>> <http://mkto-ab130193.com/m000ed3040h35mJVRny0WL0>
>>
>>
>>
>>
>> By using this site you consent to receive cookies. Cookie Policy
>> <http://mkto-ab130193.com/ienW0eR5Jzm003000Vh3L04> | Privacy and Legal
>> <http://mkto-ab130193.com/v04V0enA03mLWJf5R03h000>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160623/45b81ac8/attachment-0001.html>


More information about the OWASP-Leaders mailing list