[Owasp-leaders] On "Insufficient Attack Protection", and the role of OWASP...

johanna curiel curiel johanna.curiel at owasp.org
Wed Apr 12 09:20:54 UTC 2017

Hi Norman

Really sorry to hear about how you feel.

The OWASP Top 10 seems as a collection of information where everyone
participates and provides input to this list.

Were you allowed to provide your input during the collection process?
Did you express your objection against this specific item during the
discussion process?

Please, consider also that this is a Release candidate and not a final
version of the list

I would encourage you and everyone the feels that this item does not seem
adequate for this list, to please discuss it and, argument why
"Insufficient attack protection" should not be part of the list or should
change to something else

My POW in this:
I also agree with Norman pow. We should enforce "lack of proper secure
SDLC" as one of the top risk, since most o the problems occur when
companies developing software do not include security in their design
phase. That is preventive, and not a WAF, WAF are repressive and little
they can do to protect against new attack vectors



On Wed, Apr 12, 2017 at 1:24 AM, Norman Yue <norman.yue at owasp.org> wrote:

> Hey folks,
> Greetings from sunny Sydney - I hope this email finds you well. I
> apologise for spamming owasp-leaders with this, but I think this is
> important enough that this warrants the attention of the international
> leadership community.
> Traditionally, we have been a trusted source of information with regards
> to web application information security, providing both tools and technical
> reference information to developers and application security professionals,
> to help secure the Internet for everyone.
> Today, "Insufficient Attack Protection" is actually being considered for
> inclusion in an OWASP Top Ten list.
> (Constructively, I think this should be replaced with something like
> "improper trust modelling", and we push the Google BeyondCorp line of
> thinking https://research.google.com/pubs/pub43231.html - the polar
> opposite to "buy a waf").
> Words do not express my burning rage, and my disappointment that no-one
> else appears to feel the same way (I read through the owasp-topten list
> before posting this). Do people still care about the future of this
> community, and how OWASP is perceived throughout the information security
> industry?
> With best regards,
> Norm
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170412/911deb10/attachment.html>

More information about the OWASP-Leaders mailing list