bradcausey at owasp.org
Tue Sep 20 17:58:15 UTC 2016
Our emails crossed. =)
Maybe we could word it differently, so each one of these doesn't appear to
be a comprehensive defense approach by itself?
CISSP, MCSE, C|EH, CIFI, CGSP
"Si vis pacem, para bellum"
On Tue, Sep 20, 2016 at 12:56 PM, Dave Wichers <dave.wichers at owasp.org>
> I'm not so sure we should drop basic defenses yet, since this problem is
> so new. I think we should be VERY clear, that we understand certain
> defenses can be bypassed when they can.
> For example, lets say that multi-step login caused 90% of the current
> Credential Stuffing attacks to go away, wouldn't that be worth it? We all
> understand this is an arms race, so it will keep getting harder and harder,
> but I don't think that relatively simple defenses that work today should be
> discarded. And if that's simply step 1 in your defense, and you plan to add
> additional layers of defense, then I don't think discarding step 1 is
> On Tue, Sep 20, 2016 at 1:46 PM, Michael Coates <michael.coates at owasp.org>
>> Thanks for kickstarting this cheat sheet. My initial feedback is that we
>> should scrap 3.2 Defense Option 2: Multi-Step Login Process and 3.3 Defense
>> Option 3: IP blacklists. These defenses just don't work against this type
>> of attack. Even if they provide some defense against the most basic attacks
>> I feel it's misleading since it's trivial for an attacker to bypass these
>> defenses and real world attacks show that they regularly do.
>> Not meant as a bash on the overall cheat sheet. In fact I think I kicked
>> off this thread and am a big supporter of discussion here. But I think it's
>> good for us to avoid partial solutions that could give a false sense of
>> I like the other defenses. I think we also can add a few others which are
>> "additional identify verification" and "anti automation.
>> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
>> OWASP Global Board
>> On Tue, Sep 20, 2016 at 9:39 AM, Brad Causey <bradcausey at owasp.org>
>>> Great discussion so far.
>>> Would you folks mind taking a look over this and providing feedback?
>>> I intend to provide more detail on each subject, but first I figured we
>>> could agree on the primary defenses.
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders