[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

James Kettle albinowax at gmail.com
Tue Apr 25 09:36:01 UTC 2017


Hi all,

I've written up the rather depressing conclusion I came to regarding the
introduction of A7 'Insufficient Attack Protection' over at
http://www.skeletonscribe.net/2017/04/abusing-owasp.html

I'd particularly like to draw attention to Eduardo's insightful comment:

Here is the net negative from "automatic protection" or pretty much just
> any WAF. They make finding the vulnerabilities harder for the good guys.
> This means:
> 1. Mitigations are imperfect and bypassable by definition.
> 2. It will be harder for "good guys" to find vulnerabilities.
> 3. Less vulnerabilities will be fixed in the absolute.
> As a result, applications will end up worse and all that while profiting
> vendors. FFS..


The following post is also highly relevant and interesting:
https://medium.com/@JoshCGrossman/behind-the-the-owasp-top-10-2017-rc1-df43236f79ff



Here's the full text of my post for posterity:


The latest draft of the OWASP TOP 10
<https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf>
‘Most
Critical Web Application Security Risks’ added a new entry at A7, titled
‘Insufficient Attack Protection’. It claims that failing to detect and
respond to attacks is a critical risk.

This is a surprising and distinctly out of place addition to the top 10;
every other entry is a serious vulnerability that poses a notable risk by
itself, whereas failure to detect attacks is only hazardous when combined
with a real vulnerability.

Furthermore, addressing any other entry in the top 10 provides a clear net
positive to a webapp’s security posture, whereas complying with A7 can
easily cause a net harm. Complying with A7 makes it extremely awkward to
run an accessible bug bounty program, since it will hinder researchers
trying to help you out. It also increases your attack surface (much like
antivirus software) and introduces the risk of denial of service attacks by
spoofing attacks from other users.

I’m not <https://twitter.com/sirdarckcat/status/855860484377063424> the only
<https://twitter.com/kkotowicz/status/851753428107898880> one in
<https://twitter.com/strawp/status/851764135704571904> the community
<https://twitter.com/slekies/status/851757526139973634> who thinks
Insufficient Attack Protection has no place in the top 10 - a poll by
@thornmaker <https://twitter.com/thornmaker/status/852263747267710977> found
80% of 110 respondents thought it should be removed.

At this point, you might be wondering where A7 came from. According to a
contributer, it was "
<http://lists.owasp.org/pipermail/owasp-topten/2017-April/001422.html>suggested
by Contrast Security and *only* by Contrast Security"
<http://lists.owasp.org/pipermail/owasp-topten/2017-April/001422.html>.

I wonder why Contrast Security made this suggestion? Well, we can find a
clue on their website - they’ve already started using A7 to flog ‘Contrast
Protect’, their shiny attack protection solution:

A7: Insufficient Attack Protection. This new requirement means that
applications need to detect, prevent, and respond to both manual and
automated attacks. […] Contrast Protect effectively blocks attacks
<https://www.contrastsecurity.com/runtime-application-self-protection-rasp> by
injecting the protection directly into the application where it can take
advantage of the full application context.

https://www.contrastsecurity.com/security-influencers/two-new-vulnerabilites-added-to-the-owasp-top-10

Still, perhaps I shouldn’t rush to assume Contrast Security is acting in
bad faith and abusing the OWASP brand name to sell a product. It’s not like
they’ve done anything like this before is it?

In 2015 Contrast/Aspect
<http://www.aspectsecurity.com/contrast-security> released
a tool to evaluate vulnerability scanners dubbed “OWASP Benchmark
<https://www.owasp.org/index.php/Benchmark>”. This is much lower profile
than the OWASP Top 10, but I work for a web scanner vendor myself so it
caught my attention. Just like the new OWASP Top 10, there was something a
bit odd about it - it ranked Contrast’s scanner vastly higher than all the
competition, something they made sure to point out
<https://www.contrastsecurity.com/owasp-benchmark> in marketing materials.

Here’s what Simon Bennets, the OWASP project leader for ZAP had to say:

Here we have a company that leads an OWASP project that just happens to
show that their offering in this area appears to be _significantly_ better
than any of the competition. Their recent press release stresses that its
an OWASP project, make the most of the fact that the US DHS helped fund it
but make no mention of their role in developing it.

http://lists.owasp.org/pipermail/owasp-leaders/2015-September/015120.html

Simon's post caused extensive discussion on the OWASP leaders mailing list,
eventually leading to Jim Manico (an OWASP board member at the time) calling
for the project to be demoted to 'incubator' status
<https://lists.owasp.org/pipermail/owasp-board/2015-December/016724.html>,
in order to reflect the project's immaturity. The project is still in the
incubator status. This hasn’t stopped Gartner from using it to compare
scanning vendors, so I guess Contrast still got their money’s worth.

All in all I think it’s pretty clear why Insufficient Attack Protection has
suddenly appeared. Perhaps the OWASP Top 10 should be demoted to incubator
status too :-)

Cheers,

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170425/6812850a/attachment.html>


More information about the Owasp-topten mailing list