[Owasp-topten] RC1 Feedback - A7 – Insufficient Attack Protection

Christian Folini christian.folini at netnea.com
Thu Apr 13 08:43:20 UTC 2017


Hello Thorsten,

On Thu, Apr 13, 2017 at 07:38:26AM +0000, Delbrouck-Konetzko Thorsten
wrote:
> From a policy point of view: The other nine points all cover aspects
> which MUST be considered for any type of web application (as far as
> they are technically applicable) but A7 seems to be an “extra” that
> you’d only want for the more sophisticated applications. With our
> OWASP baseline approach we’re telling our suppliers (and our internal
> IT): “This is what you absolutely have to do, for anything beyond that
> – let’s talk about it.”.
> 
> The nine “passive” aspects are fairly isolated and in their scope and
> are mostly “deterministic” during a plan/build phase.

I think you assess the character of the items in the new Top10
correctly, but you come to different conclusions.

Application security has been around for a very long time. I have
a copy of a Prentice Hall book on computer security from 1973 on my
desk. It basically advocates the same design and implementation
methods that we still pursue. Yet secure software is rare and secure
online services are even rarer still. The traditional approach
with writing secure code and then putting it out in the internet
does not work.

In my experience, the "passive" approach is part of the problem.
Security is not finished when the code is deployed. Security
is a process and it has to encompass development and operation. 
You need to have the developers in the boat, but you also need the 
architects and system engineers.

So what I think we need to do with the new Top10 including A7 is
sitting together with the developers and make sure everybody
contributes to the whole security process. Traditional developers will 
naturally address the more passive items, while security engineers
like myself tend to contribute to additional layers of security or
help with facilitating quick responses. The interface with the
developers will be more complicated. But people will have a clearer
understanding of the various contributions to the overall picture.
If A7 facilitates this it's a step in the right direction.

If traditional approaches to security ("Write secure code!") would
work, we would not be here. A7 is a new approach with a much wider 
perspective. I agree it has to be refined and a crystal clear wording
has to be found, but it totally has a place in the Top10.

Best,

Christian Folini

-- 
It ought to be remembered that there is nothing more difficult to
take in hand, more perilous to conduct, or more uncertain in its
success, than to take the lead in the introduction of a new order of
things.
--- Niccolò Machiavelli


More information about the Owasp-topten mailing list