[Owasp-topten] [Owasp-leaders] On "Insufficient Attack Protection", and the role of OWASP...

Tony UV tonyuv at owasp.org
Sat Apr 15 03:09:28 UTC 2017


I've long fallen out of love with the Top 10 for the lack of multi-data
sources.  I don't actually recommend it often but nothing takes away its
one of the more recognized OWASP products.

Agreed that more data points are needed.  I see two avenues for getting
that said.

*Industry Driven*: To Tim's point, polling a industry group of pen testers
that could perhaps normalize and anonymize their data to reflect what's
'top' for them.  Beyond this what about WAF's?  Are vendor supported WAFs
centralizing their data to the Cloud or traditional, centralized,
self-hosted environment?  Any WAF product owners want to lend a thought?

This makes two data sets.  A third was mentioned around post incident
reviews.  Great if it could be obtained.  Post incident sharing is what its
almost been - weak, but would be great to get.
*OWASP Driven*: What about OWASP providing a way to identify the top ten
based upon research of an managed honey-net/ pot?  What about creating a
ModSecurity SaaS service that gets funded with project money and that
actually serves as a route to SMBs or <$500M firms worldwide?  A shared
service model if you will where it can get subsidized by project money and
perhaps lend its shared service to other non-profits, etc. A ZScaler if you
will within Matt T's domain and purview and funded by global project
money?  Taking it back to stats, we could harvest real attacks based upon
tripped rules over a sample size of time and industry focus.

Just some thoughts.

Tony UV

On Fri, Apr 14, 2017 at 10:52 PM, Michael Coates <michael.coates at owasp.org>
wrote:

> Tim
>
> Great points about the state of data in infosec. That seems like an
> interesting blogpost on its own.
>
> Another of your points caught my eye and reminded me of other comments
> I've seen.
>
> "To me, a better approach would be to take a broad survey of pentesters
> and ask
> them good questions about what vulnerabilities they are seeing with more
> prevalence in both legacy applications and newly written applications"
>
> I think this would be a very interesting survey result.
>
>  In addition, I also think a study of available application breaches by
> root cause would be very powerful too.
>
> From my perspective, we (the security industry) sometimes get up in
> vulnerabilities that *could* be exploited and fail to give proper priority
> to the issues that actually *are* being exploited for breaches. And this is
> where consulting company data metrics can skew the perceptions.
>
> For example, for all the research and products in infosec, good ole
> phishing still is the easiest way into a company.
>
> Just food for thought.
>
>
> On Fri, Apr 14, 2017 at 1:06 AM Timothy D. Morgan <tim.morgan at owasp.org>
> wrote:
>
>> A word of caution about "data driven":  Virtually all data in infosec is
>> pretty
>> awful, from a scientific perspective.  It's plagued by subjective
>> decisions
>> about up-front categorization and confirmation bias.  So your pentesting
>> firm
>> gives you stats on the kinds of bugs they find?  Did they bother to look
>> for X
>> class of vulns? Does your sales/marketing team encourage them to write up
>> findings like "you don't have a WAF" because the company also sells a WAF?
>> Sure, that last one sounds blatant, but this bias can be more subtle and
>> just as
>> detrimental.
>>
>> Ultimately, whatever data we have about what vulns are present, we don't
>> have
>> the more important data to associate with it: that is which
>> vulnerabilities are
>> actually being exploited?  How high of a risk are each of these flaws
>> typically?
>>
>> You asked the parties providing data a question about what Top 10 item
>> should be
>> removed... Two responded that A9 should be removed and no other
>> suggestions
>> for removal were provided. Only ~12k instances of this issue was found in
>> the dataset. Yet this controversial category is kept, while XXE is far
>> more
>> prevalent, isn't an injection attack, and is just lumped in incorrectly
>> with
>> injections.
>>
>> The two new categories were added, both suggested by Contrast Security and
>> *only* by Contrast Security.  Meanwhile, two respondents suggested adding
>> XXE
>> (CWE 611) as it's own category.  The data provided makes it seem as if
>> Contrast
>> Security is running the show.
>>
>> To me, a better approach would be to take a broad survey of pentesters
>> and ask
>> them good questions about what vulnerabilities they are seeing with more
>> prevalence in both legacy applications and newly written applications.
>> The
>> human mind acts as a good filter, and while no one pentester tests all
>> types of
>> applications, well chosen questions and lots of responses will allow your
>> stats
>> to converge to a center of mass the industry can live with.
>>
>> tim
>>
>>
>> On 2017-04-13 00:21:08 +0000 Michael Coates <michael.coates at owasp.org>
>> wrote:
>>
>> > Eoin,
>> >
>> > Very fair questions and I agree with you to look for a data driven
>> > approach.
>> >
>> > I'm not part of the top 10 project so consider my feedback anecdotal at
>> > best.
>> >
>> >
>> >
>> >
>> > On Wed, Apr 12, 2017 at 4:55 PM Eoin Keary <eoin.keary at owasp.org>
>> wrote:
>> >
>> > > Hi Michael,
>> > >
>> > > The question for me, as a contributor to the top 10 via our
>> SaaS/edgescan
>> > > is; - what metrics were used to draw the conclusion?
>> > >
>> > > Is it subjective/"whatever feels right" or is it based in data?
>> > >
>> > > Without data anyone can draft a top 10 as it means little other than a
>> > > marketing exercise or awareness doc not not accurate reflection.
>> > >
>> > > As an organisation we should be directing people to quick wins, most
>> > > common issues and focus on a risk based approach..what's the most
>> common
>> > > vulnerability etc
>> > >
>> > > The issue A7 is rather unclear. Some folks are saying RASP, others
>> WAF,
>> > > you are saying credential stuffing / focused brute force. So given
>> there is
>> > > debate on its meaning amongst us how can we expect developers to
>> grasp this
>> > > issue?
>> > >
>> > > Love you all 😍🤡
>> > >
>> > > Eoin.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Sent from my iPhone
>> > >
>> > > On 12 Apr 2017, at 19:34, Michael Coates <michael.coates at owasp.org>
>> wrote:
>> > >
>> > > There will be lots of discussion on the new Top10 RC, which is great.
>> I
>> > > encourage many to bring comments, feedback and data to the
>> conversation.
>> > >
>> > > I'll keep my comments brief. I'm very much in favor of A7. It could
>> use
>> > > some word cleanup, perhaps a more fitting title too. But the spirit of
>> > > what's being discussed is an important advancement to defending web
>> > > applications. (Also, I don't consider this to be a WAF
>> recommendation, I
>> > > wouldn't go that route on this at all)
>> > >
>> > > A7 reminds me of the massive credential stuffing attacks issue that
>> has
>> > > hit many big sites over the past 18 months. No amount of secure dev,
>> top
>> > > 10s, or WAFs stop credential stuffing. Instead you need active
>> defense that
>> > > is smartly part of the application design.
>> > >
>> > > So, if A7 draws attention to this type of issue (or similar - see
>> OWASP
>> > > automated threats
>> > > <https://www.owasp.org/index.php/OWASP_Automated_Threats_
>> to_Web_Applications>)
>> > > then I consider that a win.
>> > >
>> > > Just my 2cent contribution to the larger conversation.
>> > >
>> > > Carry on security folks!
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > Michael Coates | @_mwc <https://twitter.com/intent/
>> user?screen_name=_mwc>
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > On Wed, Apr 12, 2017 at 4:42 AM, Eoin Keary <eoin.keary at owasp.org>
>> wrote:
>> > >
>> > > As a Contributing company to the Top10 stats I'd like to understand
>> the
>> > > stats behind both new additions. Appreciated if someone can point me
>> to the
>> > > right files/stats model?
>> > >
>> > >
>> > >
>> > >
>> > > Sent from my iPhone
>> > >
>> > > On 12 Apr 2017, at 05:19, Azzeddine Ramrami <
>> azzeddine.ramrami at owasp.org>
>> > > wrote:
>> > >
>> > > Hi,
>> > >
>> > > I agree to change the name from "Insufficient Attack Protection" but
>> not
>> > > to Improper Trust Modeling".
>> > >
>> > > I suggest to change it to "Insufficient Attack Detection and
>> Response".
>> > >
>> > > Regards,
>> > > Azzeddine
>> > >
>> > > On Wed, Apr 12, 2017 at 7:24 AM, Norman Yue <norman.yue at owasp.org>
>> wrote:
>> > >
>> > > Hey folks,
>> > >
>> > > Greetings from sunny Sydney - I hope this email finds you well. I
>> > > apologise for spamming owasp-leaders with this, but I think this is
>> > > important enough that this warrants the attention of the international
>> > > leadership community.
>> > >
>> > > Traditionally, we have been a trusted source of information with
>> regards
>> > > to web application information security, providing both tools and
>> technical
>> > > reference information to developers and application security
>> professionals,
>> > > to help secure the Internet for everyone.
>> > >
>> > > Today, "Insufficient Attack Protection" is actually being considered
>> for
>> > > inclusion in an OWASP Top Ten list.
>> > >
>> > > (Constructively, I think this should be replaced with something like
>> > > "improper trust modelling", and we push the Google BeyondCorp line of
>> > > thinking https://research.google.com/pubs/pub43231.html - the polar
>> > > opposite to "buy a waf").
>> > >
>> > > Words do not express my burning rage, and my disappointment that
>> no-one
>> > > else appears to feel the same way (I read through the owasp-topten
>> list
>> > > before posting this). Do people still care about the future of this
>> > > community, and how OWASP is perceived throughout the information
>> security
>> > > industry?
>> > >
>> > > With best regards,
>> > >
>> > >
>> > > Norm
>> > >
>> > > _______________________________________________
>> > > OWASP-Leaders mailing list
>> > > OWASP-Leaders at lists.owasp.org
>> > > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > Azzeddine RAMRAMI
>> > > +33 6 65 48 90 04 <+33%206%2065%2048%2090%2004>
>> <+33%206%2065%2048%2090%2004>.
>> > > OWASP CSRFGuard Project Leader
>> > > OWASP Leader (Morocco Chapter)
>> > > Cognitive Security Expert
>> > >
>> > > _______________________________________________
>> > > OWASP-Leaders mailing list
>> > > OWASP-Leaders at lists.owasp.org
>> > > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> > >
>> > >
>> > > _______________________________________________
>> > > OWASP-Leaders mailing list
>> > > OWASP-Leaders at lists.owasp.org
>> > > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> > >
>> > >
>> > > --
>> >
>> > --
>> > Michael Coates | @_mwc <https://twitter.com/intent/
>> user?screen_name=_mwc>
>> > OWASP Global Board
>>
>> --
>
> --
> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
> OWASP Global Board
>
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170414/619cf495/attachment-0001.html>


More information about the Owasp-topten mailing list