[Owasp-topten] [Owasp-leaders] Released: OWASP Top 10 – 2017 Release Candidate

Christian Folini christian.folini at netnea.com
Thu Apr 13 08:48:16 UTC 2017

On Wed, Apr 12, 2017 at 05:29:23PM -0700, Osama Elnaggar wrote:
> A developer may launch their application with components that are
> up-to-date and don't have know vulnerabilities but this isn't going to
> last for long.  Slide 13 from Jeremiah's talk about Cyber Insurance (
> https://www.blackhat.com/docs/us-16/materials/us-16-Grossman-An-Insiders-Guide-To-Cyber-Insurance-And-Security-Guarantees.pdf)
> covers the average time to fix in days for Known web vulnerabilities
> found with the average around 130 days.  So this last point is
> basically saying: bugs will be found on your site.  How quickly will
> you patch them (either permanently in the code if the vulnerability is
> in your code and not a 3rd party component or virtually using a WAF,
> RASP, etc. until it can be fixed and a new deployment rolled out)?
> Having this issue on the table and addressed by developers, project
> managers, operations, etc is great.  Security vulnerabilities can be
> given greater weight and teams can try to streamline the process for
> developing, testing, and rolling out patches.  WAFs and RASP can add
> an additional layer of security until these issues are patched in the
> code.  Not having something like this is the reason that we see 100+
> days of exposures for known web applications as highlighted in the
> presentation above.

Exactly my thinking, Osama. Security is a process and hoping the
developers could write secure code using secure libraries and frameworks
is futile. You need to plan for active response to new threats or
attacks. And this goes way beyond traditional secure coding. The new
A7 leads the way.



There are two primary choices in life: (1) To accept conditions as they
exist, or (2) accept responsibility for changing them.
-- Denis Waitley

More information about the Owasp-topten mailing list