[Owasp-topten] Top 10 2017 RC1 feedback - A7

Dave Wichers dave.wichers at owasp.org
Thu Apr 13 17:32:35 UTC 2017

Thanks for your question.

I think a combination of Dev and Ops is going to have to deal with A7 for
most apps/orgs. Developers should improve the security logging their apps
generate. They should select and/or implement standard security controls
that generate proper detection events so the app can have the opportunity
to respond. They need to implement SECURITY logging. Right now most apps
don't, or halfheartedly throw a few security events into their normal logs
that are indistinguishable from the rest of the events. Then they need
mechanisms for analyzing those events. This could be custom, or leverage
libraries like OWASP AppSensor, or just feed your logs to some other tool,
like Splunk, and then configure them to do the analysis they need. Ops
could do the same thing completely outside the app just looking at the web
traffic. Or a combination of both.

Both Dev and Ops should have a strong role to play here in my opinion. But
certainly some orgs will do it purely with Ops, and not 'bother' the
developers with this stuff.


On Thu, Apr 13, 2017 at 12:42 PM, Nicolas BONNEFOUS <bonnefousn at vaadata.com>

> Hi,
> My first reaction when seeing the new list of categories in that Top 10
> was regarding A7 – Insufficient Attack Protection.
> Obviously, the app must defend itself against attacks, but that’s
> described in other topics of the top 10 (SQLi, XSS...).
> What goes beyond these protections looks to me as IDS, WAF, logging,
> traffic analysis, and is not the job of the app itself (to the developer
> neither, with some exceptions).
> My opinion is that the top 10 (at least this very top 10 helping
> developers with their developments) must focus on what the app can do.
> I have seen several cases where developers use a WAF (like mod_proxy) to
> implement their controls. All of them!
> Let’s help developers strengthen their app, not relying on other tools.
> Sys admins, and other security staff must work on other ways to defend
> their platforms (from a wider perspective).
> What do you think?
> Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170413/6b724d11/attachment.html>

More information about the Owasp-topten mailing list