[Owasp-topten] RC1 Feedback - A7 – Insufficient Attack Protection

Delbrouck-Konetzko Thorsten thorsten.delbrouck at gi-de.com
Thu Apr 13 07:38:26 UTC 2017

Good Morning,

Just a quick one on the new OWASP Top 10:

We’re using the Top 10 as a baseline for our suppliers (usually agencies setting up micro sites for products or dedicated landing pages for trade shows etc.).

The update is much appreciated and contains lots of positive changes but I can see issues with A7 (Insufficient Attack Protection) coming up, this one feels somewhat “artificial”, at least in the context that we’re using it for. Also it seems to be the only one which is “active” in its nature (describing a reactive pattern or actions/decisions to be performed at runtime) while the other nine are rather “passive” and describe features or specific characteristics of the respective aspects.

>From a policy point of view: The other nine points all cover aspects which MUST be considered for any type of web application (as far as they are technically applicable) but A7 seems to be an “extra” that you’d only want for the more sophisticated applications. With our OWASP baseline approach we’re telling our suppliers (and our internal IT): “This is what you absolutely have to do, for anything beyond that – let’s talk about it.”.

The nine “passive” aspects are fairly isolated and in their scope and are mostly “deterministic” during a plan/build phase. However, if you leave A7 in there as it is this has the potential to turn build/run and subsequent troubleshooting into an uncontrollable nightmare. I certainly do not want third parties to build reactive controls into their applications.

I’d really appreciate if you could revisit A7 and find a way to rephrase that. Right now I’d have to take it out completely which diminishes the value of the Top 10.

If you want to discuss this further I’d be happy to, please just let me know!

Best Regards
Thorsten Delbrouck

Thorsten Delbrouck
Corporate Chief Information Security Officer

Phone +49 89 4119-3895  |  Fax +49 89 4119-1840  |  Mobile +49 172 301 344 5  |  mailto:thorsten.delbrouck at gi-de.com
Giesecke & Devrient GmbH  |  Prinzregentenstr. 159, D-81677 Munich, Germany  |  https://www.gi-de.com/

Vorsitzender des Aufsichtsrats: Prof. Klaus Josef Lutz
Geschäftsführer: Ralf Wintergerst (Vorsitzender, CEO), Hans Wolfgang Kunz, Dr. Peter Zattler (CFO)
Gesellschaftssitz: München, Handelsregister Amtsgericht München HRB 4619
Bitte prüfen Sie der Umwelt zuliebe, ob der Ausdruck dieser E-Mail erforderlich ist. G&D engagiert sich für den Klimaschutz.<http://www.gi-de.com/deu/de/about_g_d/responsibility_2/climate_environmental_protection/climate-and-environmental-protection.jsp>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170413/6813de28/attachment.html>

More information about the Owasp-topten mailing list