[Owasp-topten] OWASP Top 10 - 2017 Release Candidate - Comments

Marcello Duarte marcello at cybersightgroup.com
Wed Apr 12 16:09:25 UTC 2017

Traditionally the use case we've had for OWASP top 10 is for training
developers on common mistakes found in webapps and how to avoid them. In
pentesting it's also served as a common checklist of items to test against.

Items 7 and 10 feel out of place for me given my traditional use cases for

Addition 7 is not a class of vulnerability. It's also not something a
developer can easily address. Let's be serious, are developers expected to
re-implement WAF capabilities into every web application now? I can't
seriously make this recommendation to a client. The solution can not simply
be "buy a waf". I'm not in the business of selling and setting up WAFs.
This raises serious concerns to the vendor neutrality of OWASP. I'm not
arguing against the use of a WAF. I'm simply stating that it probably
doesn't belong on this list. This is a slippery slope, for example will
future versions of OWASP contain recommendations such as "Buy AV Software"?

Addition 10 is too vague to merit an entire bullet on it's own. This should
should be a side note to apply OWASP to both web and API layers. This spot
would be better filled with an actual class of vulnerability such as
serialization bugs for example ;-).

Marcello Duarte
Chief Research Officer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170412/fbb82d0a/attachment-0001.html>

More information about the Owasp-topten mailing list