[Owasp-topten] [Owasp-leaders] On "Insufficient Attack Protection", and the role of OWASP...

johanna curiel curiel johanna.curiel at owasp.org
Thu Apr 13 14:06:52 UTC 2017


>>Alternative recommendations might be the Java HTML Sanitizer

So far in the OWASP Bounty program and the submissions received, no one has
been able to break it , I encourage participating in the bounty if anyone
can break it 😁

https://bugcrowd.com/owaspjavasanitizer

Cheers

Johanna

On Thu, Apr 13, 2017 at 9:58 AM, Bjoern Kimminich <
bjoern.kimminich at owasp.org> wrote:

> Hi all,
>
> except for some "gut-feeling" I did not really create an elaborate
> opinion about the two newcomers to the Top10. What I can say with
> absolute certainty is:
>
> *THANK YOU* for merging "Insecure Direct Object References" and
> "Missing Function Level Access Control" back into one item! During my
> developer trainings I always felt that the separation of these two was
> kind-of artificial/arbitrary. It will be much easier to explain both
> aspects of this risk in one training segment rather than split across
> two!
>
> Also a big (just slightly less than the previous all-caps-big) *Thank
> You* for dropping the rather boring (again, from a trainers
> perspective) "Unvalidated Redirects and Forwards"! :-)
>
> Unfortunately the "What’s Next for Developers" section  did not get
> much attention during the update. It refers to "Broken Web
> Applications Project" which is officially inactive. Instead I would
> add "Security Shepherd" instead, especially as it went Flagship
> recently?
>
> It also refers to "ESAPI", which seems not exactly active either.
> Alternative recommendations might be the Java HTML Sanitizer or
> non-OWASP projects such as Bouncy Castle and Spring Security? Those
> cover only the Java ecosystem, though. In e.g. the Javascript world
> there is much more variety, but less stability as well. So maybe OWASP
> is better off with some "generic" recommendation to pick a proven and
> stable security libary for your language of choice?
>
> Cheers,
> Björn
>
> On Thu, Apr 13, 2017 at 2:49 PM, johanna curiel curiel
> <johanna.curiel at owasp.org> wrote:
> > https://danielmiessler.com/blog/comments-owasp-top-10-
> 2017-draft/#gs.WXVi5Dw
> >
> > On Wed, Apr 12, 2017 at 9:48 PM, Dave Wichers <dave.wichers at owasp.org>
> > wrote:
> >>
> >> The OWASP Top 10 - 2017 data call data and some basic analysis of it is
> >> available in this folder on github:
> >> https://github.com/OWASP/Top10/tree/master/2017/datacall. It's a simple
> >> multi-tab Excel spreadsheet.
> >>
> >> -Dave
> >>
> >>
> >> On Wed, Apr 12, 2017 at 7:42 AM, Eoin Keary <eoin.keary at owasp.org>
> wrote:
> >>>
> >>> As a Contributing company to the Top10 stats I'd like to understand the
> >>> stats behind both new additions. Appreciated if someone can point me
> to the
> >>> right files/stats model?
> >>>
> >>>
> >>>
> >>>
> >>> Sent from my iPhone
> >>>
> >>> On 12 Apr 2017, at 05:19, Azzeddine Ramrami <
> azzeddine.ramrami at owasp.org>
> >>> wrote:
> >>>
> >>> Hi,
> >>>
> >>> I agree to change the name from "Insufficient Attack Protection" but
> not
> >>> to Improper Trust Modeling".
> >>>
> >>> I suggest to change it to "Insufficient Attack Detection and Response".
> >>>
> >>> Regards,
> >>> Azzeddine
> >>>
> >>> On Wed, Apr 12, 2017 at 7:24 AM, Norman Yue <norman.yue at owasp.org>
> wrote:
> >>>>
> >>>> Hey folks,
> >>>>
> >>>> Greetings from sunny Sydney - I hope this email finds you well. I
> >>>> apologise for spamming owasp-leaders with this, but I think this is
> >>>> important enough that this warrants the attention of the international
> >>>> leadership community.
> >>>>
> >>>> Traditionally, we have been a trusted source of information with
> regards
> >>>> to web application information security, providing both tools and
> technical
> >>>> reference information to developers and application security
> professionals,
> >>>> to help secure the Internet for everyone.
> >>>>
> >>>> Today, "Insufficient Attack Protection" is actually being considered
> for
> >>>> inclusion in an OWASP Top Ten list.
> >>>>
> >>>> (Constructively, I think this should be replaced with something like
> >>>> "improper trust modelling", and we push the Google BeyondCorp line of
> >>>> thinking https://research.google.com/pubs/pub43231.html - the polar
> opposite
> >>>> to "buy a waf").
> >>>>
> >>>> Words do not express my burning rage, and my disappointment that
> no-one
> >>>> else appears to feel the same way (I read through the owasp-topten
> list
> >>>> before posting this). Do people still care about the future of this
> >>>> community, and how OWASP is perceived throughout the information
> security
> >>>> industry?
> >>>>
> >>>> With best regards,
> >>>>
> >>>>
> >>>> Norm
> >>>>
> >>>> _______________________________________________
> >>>> OWASP-Leaders mailing list
> >>>> OWASP-Leaders at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Azzeddine RAMRAMI
> >>> +33 6 65 48 90 04.
> >>> OWASP CSRFGuard Project Leader
> >>> OWASP Leader (Morocco Chapter)
> >>> Cognitive Security Expert
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >
> >
> >
> > --
> > Johanna Curiel
> > OWASP Volunteer
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170413/f510dbe8/attachment-0001.html>


More information about the Owasp-topten mailing list