[Owasp-leaders] On "Insufficient Attack Protection", and the role of OWASP...

Michael Coates michael.coates at owasp.org
Thu Apr 13 00:21:08 UTC 2017


Eoin,

Very fair questions and I agree with you to look for a data driven
approach.

I'm not part of the top 10 project so consider my feedback anecdotal at
best.




On Wed, Apr 12, 2017 at 4:55 PM Eoin Keary <eoin.keary at owasp.org> wrote:

> Hi Michael,
>
> The question for me, as a contributor to the top 10 via our SaaS/edgescan
> is; - what metrics were used to draw the conclusion?
>
> Is it subjective/"whatever feels right" or is it based in data?
>
> Without data anyone can draft a top 10 as it means little other than a
> marketing exercise or awareness doc not not accurate reflection.
>
> As an organisation we should be directing people to quick wins, most
> common issues and focus on a risk based approach..what's the most common
> vulnerability etc
>
> The issue A7 is rather unclear. Some folks are saying RASP, others WAF,
> you are saying credential stuffing / focused brute force. So given there is
> debate on its meaning amongst us how can we expect developers to grasp this
> issue?
>
> Love you all 😍🤡
>
> Eoin.
>
>
>
>
>
>
>
> Sent from my iPhone
>
> On 12 Apr 2017, at 19:34, Michael Coates <michael.coates at owasp.org> wrote:
>
> There will be lots of discussion on the new Top10 RC, which is great. I
> encourage many to bring comments, feedback and data to the conversation.
>
> I'll keep my comments brief. I'm very much in favor of A7. It could use
> some word cleanup, perhaps a more fitting title too. But the spirit of
> what's being discussed is an important advancement to defending web
> applications. (Also, I don't consider this to be a WAF recommendation, I
> wouldn't go that route on this at all)
>
> A7 reminds me of the massive credential stuffing attacks issue that has
> hit many big sites over the past 18 months. No amount of secure dev, top
> 10s, or WAFs stop credential stuffing. Instead you need active defense that
> is smartly part of the application design.
>
> So, if A7 draws attention to this type of issue (or similar - see OWASP
> automated threats
> <https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications>)
> then I consider that a win.
>
> Just my 2cent contribution to the larger conversation.
>
> Carry on security folks!
>
>
>
>
> --
> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
>
>
>
>
>
>
> On Wed, Apr 12, 2017 at 4:42 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>
> As a Contributing company to the Top10 stats I'd like to understand the
> stats behind both new additions. Appreciated if someone can point me to the
> right files/stats model?
>
>
>
>
> Sent from my iPhone
>
> On 12 Apr 2017, at 05:19, Azzeddine Ramrami <azzeddine.ramrami at owasp.org>
> wrote:
>
> Hi,
>
> I agree to change the name from "Insufficient Attack Protection" but not
> to Improper Trust Modeling".
>
> I suggest to change it to "Insufficient Attack Detection and Response".
>
> Regards,
> Azzeddine
>
> On Wed, Apr 12, 2017 at 7:24 AM, Norman Yue <norman.yue at owasp.org> wrote:
>
> Hey folks,
>
> Greetings from sunny Sydney - I hope this email finds you well. I
> apologise for spamming owasp-leaders with this, but I think this is
> important enough that this warrants the attention of the international
> leadership community.
>
> Traditionally, we have been a trusted source of information with regards
> to web application information security, providing both tools and technical
> reference information to developers and application security professionals,
> to help secure the Internet for everyone.
>
> Today, "Insufficient Attack Protection" is actually being considered for
> inclusion in an OWASP Top Ten list.
>
> (Constructively, I think this should be replaced with something like
> "improper trust modelling", and we push the Google BeyondCorp line of
> thinking https://research.google.com/pubs/pub43231.html - the polar
> opposite to "buy a waf").
>
> Words do not express my burning rage, and my disappointment that no-one
> else appears to feel the same way (I read through the owasp-topten list
> before posting this). Do people still care about the future of this
> community, and how OWASP is perceived throughout the information security
> industry?
>
> With best regards,
>
>
> Norm
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> --
> Azzeddine RAMRAMI
> +33 6 65 48 90 04 <+33%206%2065%2048%2090%2004>.
> OWASP CSRFGuard Project Leader
> OWASP Leader (Morocco Chapter)
> Cognitive Security Expert
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> --

--
Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
OWASP Global Board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170413/c5a920c5/attachment-0001.html>


More information about the OWASP-Leaders mailing list