[Owasp-topten] Top 10 2017 RC1 feedback - A7

Nicolas BONNEFOUS bonnefousn at vaadata.com
Thu Apr 13 16:42:02 UTC 2017


My first reaction when seeing the new list of categories in that Top 10 was regarding A7 – Insufficient Attack Protection.

Obviously, the app must defend itself against attacks, but that’s described in other topics of the top 10 (SQLi, XSS...).
What goes beyond these protections looks to me as IDS, WAF, logging, traffic analysis, and is not the job of the app itself (to the developer neither, with some exceptions).

My opinion is that the top 10 (at least this very top 10 helping developers with their developments) must focus on what the app can do.
I have seen several cases where developers use a WAF (like mod_proxy) to implement their controls. All of them! 
Let’s help developers strengthen their app, not relying on other tools.

Sys admins, and other security staff must work on other ways to defend their platforms (from a wider perspective).

What do you think?


On 13/04/2017, 14:00, "owasp-topten-bounces+bonnefousn=vaadata.com at lists.owasp.org on behalf of owasp-topten-request at lists.owasp.org" <owasp-topten-bounces+bonnefousn=vaadata.com at lists.owasp.org on behalf of owasp-topten-request at lists.owasp.org> wrote:

    Send Owasp-topten mailing list submissions to
    	owasp-topten at lists.owasp.org
    To subscribe or unsubscribe via the World Wide Web, visit
    or, via email, send a message with subject or body 'help' to
    	owasp-topten-request at lists.owasp.org
    You can reach the person managing the list at
    	owasp-topten-owner at lists.owasp.org
    When replying, please edit your Subject line so it is more specific
    than "Re: Contents of Owasp-topten digest..."
    Today's Topics:
       1. Re: RC1 Feedback -  A7 ? Insufficient Attack Protection
          (Christian Folini)
       2. Re: [Owasp-leaders] Released: OWASP Top 10 ? 2017 Release
          Candidate (Christian Folini)
    Message: 1
    Date: Thu, 13 Apr 2017 10:43:20 +0200
    From: Christian Folini <christian.folini at netnea.com>
    To: Delbrouck-Konetzko Thorsten <thorsten.delbrouck at gi-de.com>,
    	OWASP-TopTen at lists.owasp.org
    Subject: Re: [Owasp-topten] RC1 Feedback -  A7 ? Insufficient Attack
    Message-ID: <20170413084320.7s6vf53bm3gtp2zg at leander>
    Content-Type: text/plain; charset=utf-8
    Hello Thorsten,
    On Thu, Apr 13, 2017 at 07:38:26AM +0000, Delbrouck-Konetzko Thorsten
    > From a policy point of view: The other nine points all cover aspects
    > which MUST be considered for any type of web application (as far as
    > they are technically applicable) but A7 seems to be an ?extra? that
    > you?d only want for the more sophisticated applications. With our
    > OWASP baseline approach we?re telling our suppliers (and our internal
    > IT): ?This is what you absolutely have to do, for anything beyond that
    > ? let?s talk about it.?.
    > The nine ?passive? aspects are fairly isolated and in their scope and
    > are mostly ?deterministic? during a plan/build phase.
    I think you assess the character of the items in the new Top10
    correctly, but you come to different conclusions.
    Application security has been around for a very long time. I have
    a copy of a Prentice Hall book on computer security from 1973 on my
    desk. It basically advocates the same design and implementation
    methods that we still pursue. Yet secure software is rare and secure
    online services are even rarer still. The traditional approach
    with writing secure code and then putting it out in the internet
    does not work.
    In my experience, the "passive" approach is part of the problem.
    Security is not finished when the code is deployed. Security
    is a process and it has to encompass development and operation. 
    You need to have the developers in the boat, but you also need the 
    architects and system engineers.
    So what I think we need to do with the new Top10 including A7 is
    sitting together with the developers and make sure everybody
    contributes to the whole security process. Traditional developers will 
    naturally address the more passive items, while security engineers
    like myself tend to contribute to additional layers of security or
    help with facilitating quick responses. The interface with the
    developers will be more complicated. But people will have a clearer
    understanding of the various contributions to the overall picture.
    If A7 facilitates this it's a step in the right direction.
    If traditional approaches to security ("Write secure code!") would
    work, we would not be here. A7 is a new approach with a much wider 
    perspective. I agree it has to be refined and a crystal clear wording
    has to be found, but it totally has a place in the Top10.
    Christian Folini
    It ought to be remembered that there is nothing more difficult to
    take in hand, more perilous to conduct, or more uncertain in its
    success, than to take the lead in the introduction of a new order of
    --- Niccol? Machiavelli
    Message: 2
    Date: Thu, 13 Apr 2017 10:48:16 +0200
    From: Christian Folini <christian.folini at netnea.com>
    To: OWASP TopTen <owasp-topten at lists.owasp.org>
    Subject: Re: [Owasp-topten] [Owasp-leaders] Released: OWASP Top 10 ?
    	2017 Release Candidate
    Message-ID: <20170413084816.qdqftmphpksbtpae at leander>
    Content-Type: text/plain; charset=utf-8
    On Wed, Apr 12, 2017 at 05:29:23PM -0700, Osama Elnaggar wrote:
    > A developer may launch their application with components that are
    > up-to-date and don't have know vulnerabilities but this isn't going to
    > last for long.  Slide 13 from Jeremiah's talk about Cyber Insurance (
    > https://www.blackhat.com/docs/us-16/materials/us-16-Grossman-An-Insiders-Guide-To-Cyber-Insurance-And-Security-Guarantees.pdf)
    > covers the average time to fix in days for Known web vulnerabilities
    > found with the average around 130 days.  So this last point is
    > basically saying: bugs will be found on your site.  How quickly will
    > you patch them (either permanently in the code if the vulnerability is
    > in your code and not a 3rd party component or virtually using a WAF,
    > RASP, etc. until it can be fixed and a new deployment rolled out)?
    > Having this issue on the table and addressed by developers, project
    > managers, operations, etc is great.  Security vulnerabilities can be
    > given greater weight and teams can try to streamline the process for
    > developing, testing, and rolling out patches.  WAFs and RASP can add
    > an additional layer of security until these issues are patched in the
    > code.  Not having something like this is the reason that we see 100+
    > days of exposures for known web applications as highlighted in the
    > presentation above.
    Exactly my thinking, Osama. Security is a process and hoping the
    developers could write secure code using secure libraries and frameworks
    is futile. You need to plan for active response to new threats or
    attacks. And this goes way beyond traditional secure coding. The new
    A7 leads the way.
    There are two primary choices in life: (1) To accept conditions as they
    exist, or (2) accept responsibility for changing them.
    -- Denis Waitley
    Owasp-topten mailing list
    Owasp-topten at lists.owasp.org
    End of Owasp-topten Digest, Vol 84, Issue 17
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4494 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170413/93d19376/attachment-0001.bin>

More information about the Owasp-topten mailing list