[Owasp-topten] Comments on OWASP Top 10 RC - 2017 A7

Timothy D. Morgan tim.morgan at owasp.org
Tue Apr 11 23:12:44 UTC 2017

> The topic seems to be driven by WAF as a solution rather than by the
> underlying problems.


It's a solution looking for a problem, rather than a distinct development issue
that programmers should become aware of.  We're not educating developers about
security by prescribing a band-aid cure-all like a WAF.  

This is not how you security.

> My suggestion would be to either break this topic up into a few different
> issues or rename the topic to Integrate a WAF into your application.

Sure, then we can also publish a new top 10 list: 
  "Top 10 Most Common Vulnerabilities in Security Products"

It'll look a lot like the Top 10 list from 2003, since that's the decade most
security product vendors are still living in.  (Just ask @taviso.)


More information about the Owasp-topten mailing list