[Owasp-topten] RC1 Feedback - A7 – Insufficient Attack Protection

Jeff Sergeant jeffuk at gmail.com
Thu Apr 13 15:46:13 UTC 2017


Hi Thorsten,

Have you considered using the ASVS, it seems much more suited to what your
doing.

You could insist on compliance against level 1 of the ASVS for those sorts
of sites.

I've seen it used this way to great effect.

Regards

Jeff Sergeant


On Thu, 13 Apr 2017 at 08:39, Delbrouck-Konetzko Thorsten <
thorsten.delbrouck at gi-de.com> wrote:

> Good Morning,
>
>
>
> Just a quick one on the new OWASP Top 10:
>
>
>
> We’re using the Top 10 as a baseline for our suppliers (usually agencies
> setting up micro sites for products or dedicated landing pages for trade
> shows etc.).
>
>
>
> The update is much appreciated and contains lots of positive changes but I
> can see issues with A7 (Insufficient Attack Protection) coming up, this one
> feels somewhat “artificial”, at least in the context that we’re using it
> for. Also it seems to be the only one which is “active” in its nature
> (describing a reactive pattern or actions/decisions to be performed at
> runtime) while the other nine are rather “passive” and describe features or
> specific characteristics of the respective aspects.
>
>
>
> From a policy point of view: The other nine points all cover aspects which
> MUST be considered for any type of web application (as far as they are
> technically applicable) but A7 seems to be an “extra” that you’d only want
> for the more sophisticated applications. With our OWASP baseline approach
> we’re telling our suppliers (and our internal IT): *“This is what you
> absolutely have to do, for anything beyond that – let’s talk about it.”*.
>
>
>
> The nine “passive” aspects are fairly isolated and in their scope and are
> mostly “deterministic” during a plan/build phase. However, if you leave A7
> in there as it is this has the potential to turn build/run and subsequent
> troubleshooting into an uncontrollable nightmare. I certainly do not want
> third parties to build reactive controls into their applications.
>
>
>
> I’d really appreciate if you could revisit A7 and find a way to rephrase
> that. Right now I’d have to take it out completely which diminishes the
> value of the Top 10.
>
>
>
> If you want to discuss this further I’d be happy to, please just let me
> know!
>
>
>
> Best Regards
>
> Thorsten Delbrouck
>
>
>
>
>
> *Thorsten Delbrouck*
>
> Corporate Chief Information Security Officer
>
>
>
> Phone +49 89 4119-3895  |  Fax +49 89 4119-1840  |  Mobile +49 172 301 344
> 5  |  mailto:thorsten.delbrouck at gi-de.com <thorsten.delbrouck at gi-de.com>
>
> Giesecke & Devrient GmbH  |  Prinzregentenstr. 159, D-81677 Munich,
> Germany  |  https://www.gi-de.com/
>
>
>
>
>
>
> *Vorsitzender des Aufsichtsrats:* Prof. Klaus Josef Lutz
> *Geschäftsführer:* Ralf Wintergerst (Vorsitzender, CEO), Hans Wolfgang
> Kunz, Dr. Peter Zattler (CFO)
> *Gesellschaftssitz:* München, Handelsregister Amtsgericht München HRB 4619
> Bitte prüfen Sie der Umwelt zuliebe, ob der Ausdruck dieser E-Mail
> erforderlich ist. G&D engagiert sich für den Klimaschutz.
> <http://www.gi-de.com/deu/de/about_g_d/responsibility_2/climate_environmental_protection/climate-and-environmental-protection.jsp>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170413/7fd68c58/attachment.html>


More information about the Owasp-topten mailing list