[Owasp-topten] Released: OWASP Top 10 – 2017

Bauer, John JBauer at sjm.com
Mon Apr 10 19:38:56 UTC 2017


Some quick thoughts about RC1. I’m happy to see the “Insufficient Attack Protection” category however I think the “Underprotected APIs” category could be rolled into that and called out and logging be moved to its own category. I would suggest adding something like “A10 – Insufficient Monitoring/Logging”. I’ve been deploying and managing Web Application Firewalls (WAF) for the past 6 years and discovered early on that all events from WAFs should be logged, indefinitely. When something like XSS is discovered the client and management will always ask, “Was this ever exploited?”. The ability to search past events and answer the hard questions is invaluable. I would recommend, log all requests, headers and parameters if possible as well as application logs. Logging and monitoring is already called out in many standards; the lack of adequate monitoring and logging is a serious issue and widespread especially where regulations might not apply.

Thanks,
John

St. Jude Medical is now Abbott.

[image001]


John Bauer

Senior Application Security Consultant




Abbott



One St. Jude Medical Drive

St. Paul, MN 55117 USA




O:

+1 651 756 2344

M:

+1 612 234 7483

E:

jbauer at sjm.com





This communication may contain information that is proprietary, confidential, or exempt from disclosure. If you are not the intended recipient, please note that any other dissemination, distribution, use or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately by telephone or by return e-mail and delete it from his or her computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170410/0b1df916/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1539 bytes
Desc: image001.jpg
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170410/0b1df916/attachment-0001.jpg>


More information about the Owasp-topten mailing list