[Owasp-topten] [Owasp-leaders] On "Insufficient Attack Protection", and the role of OWASP...

James Kettle albinowax at gmail.com
Wed Apr 12 10:34:03 UTC 2017


Hi all,

Like various others, I think #7 Insufficient Attack Protection is a dubious
addition to this list. AppSensor is cool (and probably underrated) but
lacking active defense is not a significant risk for well secured websites,
and adding it can cause major disadvantages.

For a start, complying with this recommendation makes it really rather
awkward to run a decent bug bounty. If your bounty program covers your
production systems (which most public bounties do), you'll end up banning,
disabling and otherwise discouraging legitimate researchers. If you attempt
to work around this problem by telling people to target a staging site with
no protections, you'll miss out on vulnerabilities only present in
production, and also partially negate the benefits of using fancy defensive
measures in the first place.

For that matter, if your project is open source then you get no benefit
from most active defence against motivated human attackers - they can just
deploy your app on their own system and figure out how to exploit that on
their own terms.

There's also the increased attack surface they can cause - look to
antivirus software to see how attempts to layer on security can backfire
and cause net harm.

I don't think WAFs and active defence are always bad - they're great used
as a bandaid on a highly insecure application that's too awkward to patch
properly. But if a site has a decent security posture, it simply doesn't
need to react when a person is trying to hack it, let alone an automated
scanner. Take a look at internet giants that have massive web attack
surface and take security seriously - Google, Facebook, Github, etc. To my
knowledge none of them use WAFs, because they know it wouldn't achieve
anything.

This is why 'Insufficient Attack Protection' has no place in that list.
Every other item listed is clearly a net positive to a site's security,
whereas tacking on a WAF may be a great idea, a waste of resources or a net
negative depending on the application.

There are more comments from the community over at https://www.reddit.com/r/
netsec/comments/64pou3/owasp_top_10_2017_release/ and
https://twitter.com/albinowax/status/851731940294225921

Cheers,

James Kettle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170412/a484d64c/attachment.html>


More information about the Owasp-topten mailing list