[Owasp-topten] RC Feedback on A7 & A10

Nick Malcolm nick at safestack.io
Mon Apr 17 23:47:43 UTC 2017

I wish to start by congratulating the OWSAP team on the results of their
hard work and effort. I have some feedback - mostly echoing what others
have said - but the intent is to support and encourage, not to rebuke. :)

Comment 1: A7 Insufficient Attack Protection
This category contains some excellent recommendations, but it is poorly
named, and covers a wide area of information security. I feel that the
audience of this document will be unnecessarily confused because of this.
Other Top 10 items tend to have one "area" of mitigation. This has three:
prevent (patch) detect, and respond. They are all critically important.

In particular, patching strategies are two of the four items on the
Australian Security Directorates' Top 4 Mitigation Strategies [1], which is
a requirement of all Australian government departments. This re-enforces
the need to have patching mentioned somewhere in the OWASP Top 10.
And in fact, it is! Category A5 talks explicitly about patching. I'd argue
that while A7 could briefly mention patching, it perhaps shouldn't and at
most just point to A5.

While it feels like a really hefty section, assuming that the contents of
A7 remains unchanged, a better name would help make the section more
readily understood. The key aspect of A7 in my mind, is being prepared.
Preparation for attacks involves figuring out how an organization will
detect and respond to threats, and preparing for security patches when they
become available.
Detecting and Responding do not _really_ protect you from an attack, they
help mitigate the effects and shorten the time to respond.

For what it's worth, some have argued for A7's removal because it favours
WAFs. I disagree - I think WAFs are a potential solution, but the ability
to detect and respond to threats requires more than just a WAF. It starts
with "policy" / guidelines / preparedness, and then on top of that you may
opt to use open source tools for rate limiting, defending against attacks,
etc, or maybe a commercial WAF. Regardless of how organizations approach
solving A7, the issue needs to be highlighted.

Suggested Changes:
  - Change "Insufficient Attack Protection" to "Insufficient Attack
Preparedness" or similar
  - Remove patching from A7

Comment 2 - A10 Underprotected APIs
I'm in favour of removing this category. It is self referential - a
protected API should make use of the OWASP Top 10 in defending it. An API
should not be treated differently to any other part of a web application -
which is why I suppose this category was introduced. However by introducing
it, it feels like it _is_ making it a separate aspect of web application

At it's core it's a reminder - "hey don't forget about your APIs". I feel
like that can be covered in the introduction, or an the other Top 10

Other's have made suggestions for additions to the Top 10, so I won't add
to that part of the conversation.

Suggested Changes:
  - Remove A10

Comment 3 - What’s Next For Testers
Nothing but praise for this section. I think this is a big improvement on
the 2013 “What’s Next for Verifies”. Good work.


Congrats again on the work done so far!

Warm regards,
Nick Malcolm

Security Consultant  |  SafeStack.io <http://safestack.io/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170418/4dbe12cd/attachment.html>

More information about the Owasp-topten mailing list