[Owasp-topten] General comments

David Caissy david.caissy at gmail.com
Wed Apr 19 12:08:39 UTC 2017

Hi everyone,

It's good to see that people have posted constructive comments about the
new Top 10!

I think that we have to keep in mind that it's about the ten most critical
web application "security risks", not about the top 10 web application
"vulnerabilities". While A7-Insufficient Attack Protection isn't a
vulnerability, it is a security risk as a lack of detection and proper
response increases the probability of a successful exploitation. I'm saying
this because many comments were about A7 not being a vulnerability... ;)

Also, maybe removing "You can use technologies like WAFs, RASP, and OWASP
AppSensor to detect or block attacks, and/or virtually patch
vulnerabilities" from A7 would make a lot of people happy? We would still
achieve the same goal without focusing too much on WAF? Maybe we could
replace this line by something that talks about logs (proper logging + log
review techniques)?

But I'm totally behind the new A7 as I see applications lacking detection
mechanisms and proper response soooo much in my pen tests!!! :P

Have a great day everyone!

David Caissy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170419/0f01c8f9/attachment.html>

More information about the Owasp-topten mailing list