[Owasp-topten] Released: OWASP Top 10 – 2017

John Traenkenschuh traenky at yahoo.com
Mon Apr 10 20:21:34 UTC 2017

I agree with much of this excellent analysis.  I don't recommend indefinite logging of events, however.  I think each organization should review legal requirements and best standard practices for their vertical.  From there, each should choose an appropriate duration. 
John Traenkenschuh, CISSP-ISSAP, GIAC-GPEN, GIAC-GAWN,GIAC-GWAPT, Certified Check Point Security Engineer & Administrator, Traenk at OWASP.org  TRAENKY at OUTLOOK.COM “SENSIBLE SECURITY SOLUTIONS”   

      From: "Bauer, John" <JBauer at sjm.com>
 To: "owasp-topten at lists.owasp.org" <owasp-topten at lists.owasp.org> 
 Sent: Monday, April 10, 2017 2:39 PM
 Subject: Re: [Owasp-topten] Released: OWASP Top 10 – 2017
 <!--#yiv7414055542 _filtered #yiv7414055542 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv7414055542 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv7414055542 {font-family:Georgia;panose-1:2 4 5 2 5 4 5 2 3 3;}#yiv7414055542 #yiv7414055542 p.yiv7414055542MsoNormal, #yiv7414055542 li.yiv7414055542MsoNormal, #yiv7414055542 div.yiv7414055542MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", "sans-serif";}#yiv7414055542 a:link, #yiv7414055542 span.yiv7414055542MsoHyperlink {color:blue;text-decoration:underline;}#yiv7414055542 a:visited, #yiv7414055542 span.yiv7414055542MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv7414055542 p.yiv7414055542MsoAcetate, #yiv7414055542 li.yiv7414055542MsoAcetate, #yiv7414055542 div.yiv7414055542MsoAcetate {margin:0in;margin-bottom:.0001pt;font-size:8.0pt;font-family:"Tahoma", "sans-serif";}#yiv7414055542 span.yiv7414055542EmailStyle17 {font-family:"Calibri", "sans-serif";color:windowtext;}#yiv7414055542 span.yiv7414055542BalloonTextChar {font-family:"Tahoma", "sans-serif";}#yiv7414055542 .yiv7414055542MsoChpDefault {font-family:"Calibri", "sans-serif";} _filtered #yiv7414055542 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv7414055542 div.yiv7414055542WordSection1 {}-->Some quick thoughts about RC1. I’m happy to see the “Insufficient Attack Protection” category however I think the “Underprotected APIs” category could be rolled into that and called out and logging be moved to its own category. I would suggest adding something like “A10 – Insufficient Monitoring/Logging”. I’ve been deploying and managing Web Application Firewalls (WAF) for the past 6 years and discovered early on that all events from WAFs should be logged, indefinitely. When something like XSS is discovered the client and management will always ask, “Was this ever exploited?”. The ability to search past events and answer the hard questions is invaluable. I would recommend, log all requests, headers and parameters if possible as well as application logs. Logging and monitoring is already called out in many standards; the lack of adequate monitoring and logging is a serious issue and widespread especially where regulations might not apply.   Thanks, John    
| St. Jude Medical is now Abbott.  |
|   |

| John Bauer  |
| Senior Application Security Consultant  |
|  |
|  |

| Abbott  |   |
| One St. Jude Medical Drive  |
| St. Paul, MN 55117 USA  |   |

| O:  | +1 651 756 2344  |
| M:  | +1 612 234 7483  |
| E:  | jbauer at sjm.com  |



      This communication may contain information that is proprietary, confidential, or exempt from disclosure. If you are not the intended recipient, please note that any other dissemination, distribution, use or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately by telephone or by return e-mail and delete it from his or her computer._______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170410/192c9e1d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1539 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170410/192c9e1d/attachment.jpg>

More information about the Owasp-topten mailing list