[Owasp-topten] Unsubscribe

James Clark jclark at hillsdale.edu
Wed Apr 12 14:38:53 UTC 2017

From: owasp-topten-bounces+jclark=hillsdale.edu at lists.owasp.org [mailto:owasp-topten-bounces+jclark=hillsdale.edu at lists.owasp.org] On Behalf Of David Caissy
Sent: Wednesday, April 12, 2017 10:36 AM
To: owasp-topten at lists.owasp.org
Subject: [Owasp-topten] Happy with RC1 !

Hi everyone,

Like most of you guys, I'm a web app pen tester (ex developer) and I have been doing VAs and pen testers for years. And like everyone else on this mailing list, I was eager to see the new Top 10!

Here are my 2 cents:

1) Very happy that A4 and A7 are back together under "A4 - Broken Access Control". I see tons of these in my assessments, but they really are two variations of the same thing.

2) Also glad to see the "A10 - Unvalidated Redirects and Forwards" gone to make room for other more important/common security risks.

3) About the new "A7 - Insufficient Attack Protection", I tend to disagree with most comments made on this mailing list for several reasons:

a) First, in most cases (but there are exceptions!!), attacking a web app which is not protected by either a WAF, RASP, AppSensor, etc. is almost a joke. Sending tons of obvious attacks at a web app should never be allowed... Even when the application is already very secure, I think this kind of defense is a must. If you can scan a web site without raising alarms, you rely heavily on the application and the security maturity of the development team.

b) Not all WAFs are commercial products, so I don't feel it's a push for vendors...

c) We all know that WAFs are only good against some classes of attacks and personally, I've never seen them as band aids (but I agree that maybe people do...). I also often bypass them, but that doesn't mean that they are not important. To me, it's the same as a regular firewall: they protect against the easy stuff and for that reason, they are important. But they are only a component in the big picture, not the solution to all security problems!

d) To an extend, I don't think developers should worry much about DDoS attacks. Other tools are there for that.

e) In almost all my pen tests, I find that there's a huge lack of detection and response. So maybe there should be more emphasis on logs in A7?

4) "A10 - Underprotected APIs" is obviously covered by the other 9 items, but it's not a bad idea to raise awareness on them. I still see lots of developers who think that HTML forms are the only attack surface of a web application. So like XSS and CSRF are injection attacks, it's not a bad idea to focus on them for a while. Maybe we should change A10 to SSRF in 2020? Keeping the last one for awareness isn't a bad idea...

Overall, I'm quite please with the new Top 10 as I feel they better reflect what I've been seeing in my assessments. 2017 is definitively better than the 2013 version, so good job!! ;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170412/5450e8ca/attachment.html>

More information about the Owasp-topten mailing list