[Owasp-topten] Comments on OWASP Top 10 RC - 2017 A7

Jonathan Carter jonathan.carter at owasp.org
Tue Apr 11 22:18:08 UTC 2017


You could rename a7 to something like "Insufficient Defense-in-Depth". Still generalized but leads the door open to many different approaches. 

> On Apr 11, 2017, at 12:38 PM, Joseph Salowey <joe at salowey.net> wrote:
> 
> Thanks to the authors and contributors for working on the OWASP Top10.  I find this to be a useful tool when work with application developers.  
> 
> A7 - Insufficient Attack Protection seems overly general.  It seems to be a catch all to cover many topics such as:
> 
> Bad input validation
> Poor application update/modification support
> Insufficient logging or reporting
> lack of rate-limiting
> 
> The topic seems to be driven by WAF as a solution rather than by the underlying problems.  
> 
> My suggestion would be to either break this topic up into a few different issues or rename the topic to Integrate a WAF into your application.  
> 
> Cheers,
> 
> Joe
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170411/a6be30ee/attachment.html>


More information about the Owasp-topten mailing list