jclark at hillsdale.edu
Wed Apr 12 14:38:53 UTC 2017
From: owasp-topten-bounces+jclark=hillsdale.edu at lists.owasp.org [mailto:owasp-topten-bounces+jclark=hillsdale.edu at lists.owasp.org] On Behalf Of David Caissy
Sent: Wednesday, April 12, 2017 10:36 AM
To: owasp-topten at lists.owasp.org
Subject: [Owasp-topten] Happy with RC1 !
Like most of you guys, I'm a web app pen tester (ex developer) and I have been doing VAs and pen testers for years. And like everyone else on this mailing list, I was eager to see the new Top 10!
Here are my 2 cents:
1) Very happy that A4 and A7 are back together under "A4 - Broken Access Control". I see tons of these in my assessments, but they really are two variations of the same thing.
2) Also glad to see the "A10 - Unvalidated Redirects and Forwards" gone to make room for other more important/common security risks.
3) About the new "A7 - Insufficient Attack Protection", I tend to disagree with most comments made on this mailing list for several reasons:
a) First, in most cases (but there are exceptions!!), attacking a web app which is not protected by either a WAF, RASP, AppSensor, etc. is almost a joke. Sending tons of obvious attacks at a web app should never be allowed... Even when the application is already very secure, I think this kind of defense is a must. If you can scan a web site without raising alarms, you rely heavily on the application and the security maturity of the development team.
b) Not all WAFs are commercial products, so I don't feel it's a push for vendors...
c) We all know that WAFs are only good against some classes of attacks and personally, I've never seen them as band aids (but I agree that maybe people do...). I also often bypass them, but that doesn't mean that they are not important. To me, it's the same as a regular firewall: they protect against the easy stuff and for that reason, they are important. But they are only a component in the big picture, not the solution to all security problems!
d) To an extend, I don't think developers should worry much about DDoS attacks. Other tools are there for that.
e) In almost all my pen tests, I find that there's a huge lack of detection and response. So maybe there should be more emphasis on logs in A7?
4) "A10 - Underprotected APIs" is obviously covered by the other 9 items, but it's not a bad idea to raise awareness on them. I still see lots of developers who think that HTML forms are the only attack surface of a web application. So like XSS and CSRF are injection attacks, it's not a bad idea to focus on them for a while. Maybe we should change A10 to SSRF in 2020? Keeping the last one for awareness isn't a bad idea...
Overall, I'm quite please with the new Top 10 as I feel they better reflect what I've been seeing in my assessments. 2017 is definitively better than the 2013 version, so good job!! ;)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten