[Owasp-leaders] On "Insufficient Attack Protection", and the role of OWASP...

Bjoern Kimminich bjoern.kimminich at owasp.org
Thu Apr 13 13:58:53 UTC 2017


Hi all,

except for some "gut-feeling" I did not really create an elaborate
opinion about the two newcomers to the Top10. What I can say with
absolute certainty is:

*THANK YOU* for merging "Insecure Direct Object References" and
"Missing Function Level Access Control" back into one item! During my
developer trainings I always felt that the separation of these two was
kind-of artificial/arbitrary. It will be much easier to explain both
aspects of this risk in one training segment rather than split across
two!

Also a big (just slightly less than the previous all-caps-big) *Thank
You* for dropping the rather boring (again, from a trainers
perspective) "Unvalidated Redirects and Forwards"! :-)

Unfortunately the "What’s Next for Developers" section  did not get
much attention during the update. It refers to "Broken Web
Applications Project" which is officially inactive. Instead I would
add "Security Shepherd" instead, especially as it went Flagship
recently?

It also refers to "ESAPI", which seems not exactly active either.
Alternative recommendations might be the Java HTML Sanitizer or
non-OWASP projects such as Bouncy Castle and Spring Security? Those
cover only the Java ecosystem, though. In e.g. the Javascript world
there is much more variety, but less stability as well. So maybe OWASP
is better off with some "generic" recommendation to pick a proven and
stable security libary for your language of choice?

Cheers,
Björn

On Thu, Apr 13, 2017 at 2:49 PM, johanna curiel curiel
<johanna.curiel at owasp.org> wrote:
> https://danielmiessler.com/blog/comments-owasp-top-10-2017-draft/#gs.WXVi5Dw
>
> On Wed, Apr 12, 2017 at 9:48 PM, Dave Wichers <dave.wichers at owasp.org>
> wrote:
>>
>> The OWASP Top 10 - 2017 data call data and some basic analysis of it is
>> available in this folder on github:
>> https://github.com/OWASP/Top10/tree/master/2017/datacall. It's a simple
>> multi-tab Excel spreadsheet.
>>
>> -Dave
>>
>>
>> On Wed, Apr 12, 2017 at 7:42 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>
>>> As a Contributing company to the Top10 stats I'd like to understand the
>>> stats behind both new additions. Appreciated if someone can point me to the
>>> right files/stats model?
>>>
>>>
>>>
>>>
>>> Sent from my iPhone
>>>
>>> On 12 Apr 2017, at 05:19, Azzeddine Ramrami <azzeddine.ramrami at owasp.org>
>>> wrote:
>>>
>>> Hi,
>>>
>>> I agree to change the name from "Insufficient Attack Protection" but not
>>> to Improper Trust Modeling".
>>>
>>> I suggest to change it to "Insufficient Attack Detection and Response".
>>>
>>> Regards,
>>> Azzeddine
>>>
>>> On Wed, Apr 12, 2017 at 7:24 AM, Norman Yue <norman.yue at owasp.org> wrote:
>>>>
>>>> Hey folks,
>>>>
>>>> Greetings from sunny Sydney - I hope this email finds you well. I
>>>> apologise for spamming owasp-leaders with this, but I think this is
>>>> important enough that this warrants the attention of the international
>>>> leadership community.
>>>>
>>>> Traditionally, we have been a trusted source of information with regards
>>>> to web application information security, providing both tools and technical
>>>> reference information to developers and application security professionals,
>>>> to help secure the Internet for everyone.
>>>>
>>>> Today, "Insufficient Attack Protection" is actually being considered for
>>>> inclusion in an OWASP Top Ten list.
>>>>
>>>> (Constructively, I think this should be replaced with something like
>>>> "improper trust modelling", and we push the Google BeyondCorp line of
>>>> thinking https://research.google.com/pubs/pub43231.html - the polar opposite
>>>> to "buy a waf").
>>>>
>>>> Words do not express my burning rage, and my disappointment that no-one
>>>> else appears to feel the same way (I read through the owasp-topten list
>>>> before posting this). Do people still care about the future of this
>>>> community, and how OWASP is perceived throughout the information security
>>>> industry?
>>>>
>>>> With best regards,
>>>>
>>>>
>>>> Norm
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>>
>>>
>>> --
>>> Azzeddine RAMRAMI
>>> +33 6 65 48 90 04.
>>> OWASP CSRFGuard Project Leader
>>> OWASP Leader (Morocco Chapter)
>>> Cognitive Security Expert
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list