[Owasp-topten] Happy with RC1 !

Timothy D. Morgan tim.morgan at owasp.org
Wed Apr 12 15:13:18 UTC 2017


Thanks for providing another perspective David.

> Here are my 2 cents:
> 
> 1) Very happy that A4 and A7 are back together under "A4 - Broken Access
> Control". I see tons of these in my assessments, but they really are two
> variations of the same thing.
> 
> 2) Also glad to see the "A10 - Unvalidated Redirects and Forwards" gone to
> make room for other more important/common security risks.

I agree with these, and should have said so in my previous critiques.  A10
should have never been added in the first place.


> 3) About the new "A7 - Insufficient Attack Protection", I tend to disagree
> with most comments made on this mailing list for several reasons:
> 
> a) First, in most cases (but there are exceptions!!), attacking a web app
> which is not protected by either a WAF, RASP, AppSensor, etc. is almost a
> joke. Sending tons of obvious attacks at a web app should never be
> allowed... Even when the application is already very secure, I think this
> kind of defense is a must. If you can scan a web site without raising
> alarms, you rely heavily on the application and the security maturity of
> the development team.

I've been a application pentester for 12 years and when i exploit a bug, I
rarely notice any WAF getting in the way.  I know many of my clients use WAFs,
so....  

> b) Not all WAFs are commercial products, so I don't feel it's a push for
> vendors...

Maybe... though the kind of people that believe the Top 10 is the beginning and
end of application security are the same kind of people who wouldn't know how
to set up an open source WAF.


> c) We all know that WAFs are only good against some classes of attacks and
> personally, I've never seen them as band aids (but I agree that maybe
> people do...). I also often bypass them, but that doesn't mean that they
> are not important. To me, it's the same as a regular firewall: they protect
> against the easy stuff and for that reason, they are important. But they
> are only a component in the big picture, not the solution to all security
> problems!

Ok, that sounds reasonable, but what about all of the vulnerabilities they
introduce?  What about spending that time/money on other security controls that
might have a better security return on investment?  What is the ultimate
security ROI of a WAF and how does that compare to other options?  Putting this
in the top 10 signals to people that a WAF is a "best practice" for all web
applications I think that is a huge mistake.


> d) To an extend, I don't think developers should worry much about DDoS
> attacks. Other tools are there for that.

Agreed.  But most of DDoS mitigation is completely out of scope for this kind
of list.

> e) In almost all my pen tests, I find that there's a huge lack of detection
> and response. So maybe there should be more emphasis on logs in A7?

I can appreciate encouraging people to do better application logging.


> 4) "A10 - Underprotected APIs" is obviously covered by the other 9 items,
> but it's not a bad idea to raise awareness on them. I still see lots of
> developers who think that HTML forms are the only attack surface of a web
> application. So like XSS and CSRF are injection attacks, it's not a bad
> idea to focus on them for a while. Maybe we should change A10 to SSRF in
> 2020? Keeping the last one for awareness isn't a bad idea...

But is it actionable?  Is that action "install an API WAF"?  Do we want to
*further* compromise the perception of this list in the eyes of the security
community?  If we do that too often, it'll eventually get dropped from
standards.

tim


More information about the Owasp-topten mailing list