[Owasp-topten] Top 10 2017 RC1 feedback - A7

Tony Turner tony.turner at owasp.org
Thu Apr 13 18:31:02 UTC 2017


Insufficient Application Logging feels more appropriate then what seems like a catchall. I feel like this iteration is regressing from an identity standpoint and trying to be too many things for too many people. Yes we should have good Ops controls but I think another project around Ops for AppSec makes more sense. That topic could easily support its own Top 10:
WAF/RASP/Virtual patching
SSL Inspection
SIEM
Environment isolation (Dev/prod/UAT etc)
Web/App/DB Server hardening
DB encryption
DB Activity monitoring
Infrastructure logging
Application Delivery optimization
Anti-bot/automated threats controls

I'm sure we could add more to this. Just my 30 second draft. But does any of it really belong in the Top 10?

--
Tony Turner 
OWASP Orlando Chapter Leader
tony.turner at owasp.org



Sent from my iPhone

> On Apr 13, 2017, at 1:32 PM, Dave Wichers <dave.wichers at owasp.org> wrote:
> 
> Thanks for your question.
> 
> I think a combination of Dev and Ops is going to have to deal with A7 for most apps/orgs. Developers should improve the security logging their apps generate. They should select and/or implement standard security controls that generate proper detection events so the app can have the opportunity to respond. They need to implement SECURITY logging. Right now most apps don't, or halfheartedly throw a few security events into their normal logs that are indistinguishable from the rest of the events. Then they need mechanisms for analyzing those events. This could be custom, or leverage libraries like OWASP AppSensor, or just feed your logs to some other tool, like Splunk, and then configure them to do the analysis they need. Ops could do the same thing completely outside the app just looking at the web traffic. Or a combination of both.
> 
> Both Dev and Ops should have a strong role to play here in my opinion. But certainly some orgs will do it purely with Ops, and not 'bother' the developers with this stuff.
> 
> -Dave
> 
>> On Thu, Apr 13, 2017 at 12:42 PM, Nicolas BONNEFOUS <bonnefousn at vaadata.com> wrote:
>> Hi,
>> 
>> My first reaction when seeing the new list of categories in that Top 10 was regarding A7 – Insufficient Attack Protection.
>> 
>> Obviously, the app must defend itself against attacks, but that’s described in other topics of the top 10 (SQLi, XSS...).
>> What goes beyond these protections looks to me as IDS, WAF, logging, traffic analysis, and is not the job of the app itself (to the developer neither, with some exceptions).
>> 
>> My opinion is that the top 10 (at least this very top 10 helping developers with their developments) must focus on what the app can do.
>> I have seen several cases where developers use a WAF (like mod_proxy) to implement their controls. All of them!
>> Let’s help developers strengthen their app, not relying on other tools.
>> 
>> Sys admins, and other security staff must work on other ways to defend their platforms (from a wider perspective).
>> 
>> What do you think?
>> 
>> Nicolas
>> 
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170413/a37f9d01/attachment.html>


More information about the Owasp-topten mailing list