[Owasp-topten] On "Insufficient Attack Protection", and the role of OWASP...

Osama Elnaggar oelnaggar04 at gmail.com
Wed Apr 12 06:01:30 UTC 2017

Hi Norman,

A number of others on the list (Olivier, Joseph, Timothy) shared their
concerns on this requirement.

Personally, I think a balanced approach would be the best as security
logging is something that has been missing for ages at the application
tier.  In terms of monitoring and logging, applications are probably the
least mature in terms of security logging and SOCs are rarely fed with
adequate application security logs.  Here's what I wrote in my feedback

"I think that this section addresses an issue that has been missing for a
long time.  I would probably rename this section to Detection and
Prevention and expand on logging of all sensitive function access, failed
requests due to malicious input, etc. and not just rely on a WAF or RASP
(although doing so is the recommended approach for virtual patching).
Prevention is ideal, but detection is a must.  Also, some issues related to
attack prevention such as IDOR abuse (if the attacker rate limits
themselves) won't easily be detected by WAFs, etc. because the input itself
is not malicious."

Without good security logging in place, you really don't know if any of
your previous controls were actually implemented correctly and if your
application is successfully detecting and protecting against these attacks
or not without having to do additional work (penetration testing, source
code analysis, etc.)


Osama Elnaggar

On April 12, 2017 at 3:25:49 PM, Norman Yue (norman.yue at owasp.org) wrote:

Hey folks,

Greetings from sunny Sydney - I hope this email finds you well. I apologise
for spamming owasp-leaders with this, but I think this is important enough
that this warrants the attention of the international leadership community.

Traditionally, we have been a trusted source of information with regards to
web application information security, providing both tools and technical
reference information to developers and application security professionals,
to help secure the Internet for everyone.

Today, "Insufficient Attack Protection" is actually being considered for
inclusion in an OWASP Top Ten list.

(Constructively, I think this should be replaced with something like
"improper trust modelling", and we push the Google BeyondCorp line of
thinking https://research.google.com/pubs/pub43231.html - the polar
opposite to "buy a waf").

Words do not express my burning rage, and my disappointment that no-one
else appears to feel the same way (I read through the owasp-topten list
before posting this). Do people still care about the future of this
community, and how OWASP is perceived throughout the information security

With best regards,

Owasp-topten mailing list
Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170412/9e5ae8b3/attachment.html>

More information about the Owasp-topten mailing list