[Owasp-topten] [Owasp-leaders] On "Insufficient Attack Protection", and the role of OWASP...

Tanya Janca tanya.janca at owasp.org
Thu Apr 13 00:05:35 UTC 2017


I second Michael's comments; I feel it's a brilliant addition.

On Apr 12, 2017 7:36 PM, "Michael Coates" <michael.coates at owasp.org> wrote:

> There will be lots of discussion on the new Top10 RC, which is great. I
> encourage many to bring comments, feedback and data to the conversation.
>
> I'll keep my comments brief. I'm very much in favor of A7. It could use
> some word cleanup, perhaps a more fitting title too. But the spirit of
> what's being discussed is an important advancement to defending web
> applications. (Also, I don't consider this to be a WAF recommendation, I
> wouldn't go that route on this at all)
>
> A7 reminds me of the massive credential stuffing attacks issue that has
> hit many big sites over the past 18 months. No amount of secure dev, top
> 10s, or WAFs stop credential stuffing. Instead you need active defense that
> is smartly part of the application design.
>
> So, if A7 draws attention to this type of issue (or similar - see OWASP
> automated threats
> <https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications>)
> then I consider that a win.
>
> Just my 2cent contribution to the larger conversation.
>
> Carry on security folks!
>
>
>
>
> --
> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
>
>
>
>
>
>
> On Wed, Apr 12, 2017 at 4:42 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>
>> As a Contributing company to the Top10 stats I'd like to understand the
>> stats behind both new additions. Appreciated if someone can point me to the
>> right files/stats model?
>>
>>
>>
>>
>> Sent from my iPhone
>>
>> On 12 Apr 2017, at 05:19, Azzeddine Ramrami <azzeddine.ramrami at owasp.org>
>> wrote:
>>
>> Hi,
>>
>> I agree to change the name from "Insufficient Attack Protection" but not
>> to Improper Trust Modeling".
>>
>> I suggest to change it to "Insufficient Attack Detection and Response".
>>
>> Regards,
>> Azzeddine
>>
>> On Wed, Apr 12, 2017 at 7:24 AM, Norman Yue <norman.yue at owasp.org> wrote:
>>
>>> Hey folks,
>>>
>>> Greetings from sunny Sydney - I hope this email finds you well. I
>>> apologise for spamming owasp-leaders with this, but I think this is
>>> important enough that this warrants the attention of the international
>>> leadership community.
>>>
>>> Traditionally, we have been a trusted source of information with regards
>>> to web application information security, providing both tools and technical
>>> reference information to developers and application security professionals,
>>> to help secure the Internet for everyone.
>>>
>>> Today, "Insufficient Attack Protection" is actually being considered for
>>> inclusion in an OWASP Top Ten list.
>>>
>>> (Constructively, I think this should be replaced with something like
>>> "improper trust modelling", and we push the Google BeyondCorp line of
>>> thinking https://research.google.com/pubs/pub43231.html - the polar
>>> opposite to "buy a waf").
>>>
>>> Words do not express my burning rage, and my disappointment that no-one
>>> else appears to feel the same way (I read through the owasp-topten list
>>> before posting this). Do people still care about the future of this
>>> community, and how OWASP is perceived throughout the information security
>>> industry?
>>>
>>> With best regards,
>>>
>>>
>>> Norm
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> Azzeddine RAMRAMI
>> +33 6 65 48 90 04 <+33%206%2065%2048%2090%2004>.
>> OWASP CSRFGuard Project Leader
>> OWASP Leader (Morocco Chapter)
>> Cognitive Security Expert
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170412/4cbead7f/attachment-0001.html>


More information about the Owasp-topten mailing list