[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Delbrouck-Konetzko Thorsten thorsten.delbrouck at gi-de.com
Tue Apr 25 09:53:23 UTC 2017


Thanks for putting this together – I fully agree and this phrases my concerns much nicer than I could have done it.

> surprising and distinctly out of place addition to the top 10

That sums it up quite nicely and I seriously hope we can move past this lobbying now and get back to identifying the actual “top 10 most critical risks in web applications”.

Best Regards

Thorsten Delbrouck
Corporate Chief Information Security Officer

Phone +49 89 4119-3895  |  Fax +49 89 4119-1840  |  Mobile +49 172 301 344 5  |  mailto:thorsten.delbrouck at gi-de.com
Giesecke & Devrient GmbH  |  Prinzregentenstr. 159, D-81677 Munich, Germany  |  https://www.gi-de.com/

From: owasp-topten-bounces+thorsten.delbrouck=gi-de.com at lists.owasp.org [mailto:owasp-topten-bounces+thorsten.delbrouck=gi-de.com at lists.owasp.org] On Behalf Of James Kettle
Sent: Dienstag, 25. April 2017 11:36
To: OWASP-TopTen at lists.owasp.org
Subject: [Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Hi all,

I've written up the rather depressing conclusion I came to regarding the introduction of A7 'Insufficient Attack Protection' over at http://www.skeletonscribe.net/2017/04/abusing-owasp.html

I'd particularly like to draw attention to Eduardo's insightful comment:

Here is the net negative from "automatic protection" or pretty much just any WAF. They make finding the vulnerabilities harder for the good guys.
This means:
1. Mitigations are imperfect and bypassable by definition.
2. It will be harder for "good guys" to find vulnerabilities.
3. Less vulnerabilities will be fixed in the absolute.
As a result, applications will end up worse and all that while profiting vendors. FFS..

The following post is also highly relevant and interesting: https://medium.com/@JoshCGrossman/behind-the-the-owasp-top-10-2017-rc1-df43236f79ff

Here's the full text of my post for posterity:

The latest draft of the OWASP TOP 10<https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf> ‘Most Critical Web Application Security Risks’ added a new entry at A7, titled ‘Insufficient Attack Protection’. It claims that failing to detect and respond to attacks is a critical risk.

This is a surprising and distinctly out of place addition to the top 10; every other entry is a serious vulnerability that poses a notable risk by itself, whereas failure to detect attacks is only hazardous when combined with a real vulnerability.

Furthermore, addressing any other entry in the top 10 provides a clear net positive to a webapp’s security posture, whereas complying with A7 can easily cause a net harm. Complying with A7 makes it extremely awkward to run an accessible bug bounty program, since it will hinder researchers trying to help you out. It also increases your attack surface (much like antivirus software) and introduces the risk of denial of service attacks by spoofing attacks from other users.

I’m not<https://twitter.com/sirdarckcat/status/855860484377063424> the only<https://twitter.com/kkotowicz/status/851753428107898880> one in<https://twitter.com/strawp/status/851764135704571904> the community<https://twitter.com/slekies/status/851757526139973634> who thinks Insufficient Attack Protection has no place in the top 10 - a poll by @thornmaker<https://twitter.com/thornmaker/status/852263747267710977> found 80% of 110 respondents thought it should be removed.

At this point, you might be wondering where A7 came from. According to a contributer, it was "<http://lists.owasp.org/pipermail/owasp-topten/2017-April/001422.html>suggested by Contrast Security and *only* by Contrast Security"<http://lists.owasp.org/pipermail/owasp-topten/2017-April/001422.html>.

I wonder why Contrast Security made this suggestion? Well, we can find a clue on their website - they’ve already started using A7 to flog ‘Contrast Protect’, their shiny attack protection solution:
A7: Insufficient Attack Protection. This new requirement means that applications need to detect, prevent, and respond to both manual and automated attacks. […] Contrast Protect effectively blocks attacks<https://www.contrastsecurity.com/runtime-application-self-protection-rasp> by injecting the protection directly into the application where it can take advantage of the full application context.

Still, perhaps I shouldn’t rush to assume Contrast Security is acting in bad faith and abusing the OWASP brand name to sell a product. It’s not like they’ve done anything like this before is it?

In 2015 Contrast/Aspect<http://www.aspectsecurity.com/contrast-security> released a tool to evaluate vulnerability scanners dubbed “OWASP Benchmark<https://www.owasp.org/index.php/Benchmark>”. This is much lower profile than the OWASP Top 10, but I work for a web scanner vendor myself so it caught my attention. Just like the new OWASP Top 10, there was something a bit odd about it - it ranked Contrast’s scanner vastly higher than all the competition, something they made sure to point out<https://www.contrastsecurity.com/owasp-benchmark> in marketing materials.

Here’s what Simon Bennets, the OWASP project leader for ZAP had to say:
Here we have a company that leads an OWASP project that just happens to show that their offering in this area appears to be _significantly_ better than any of the competition. Their recent press release stresses that its an OWASP project, make the most of the fact that the US DHS helped fund it but make no mention of their role in developing it.

Simon's post caused extensive discussion on the OWASP leaders mailing list, eventually leading to Jim Manico (an OWASP board member at the time) calling for the project to be demoted to 'incubator' status<https://lists.owasp.org/pipermail/owasp-board/2015-December/016724.html>, in order to reflect the project's immaturity. The project is still in the incubator status. This hasn’t stopped Gartner from using it to compare scanning vendors, so I guess Contrast still got their money’s worth.

All in all I think it’s pretty clear why Insufficient Attack Protection has suddenly appeared. Perhaps the OWASP Top 10 should be demoted to incubator status too :-)



Vorsitzender des Aufsichtsrats: Prof. Klaus Josef Lutz
Geschäftsführer: Ralf Wintergerst (Vorsitzender, CEO), Hans Wolfgang Kunz, Dr. Peter Zattler (CFO)
Gesellschaftssitz: München, Handelsregister Amtsgericht München HRB 4619
Bitte prüfen Sie der Umwelt zuliebe, ob der Ausdruck dieser E-Mail erforderlich ist. G&D engagiert sich für den Klimaschutz.<http://www.gi-de.com/deu/de/about_g_d/responsibility_2/climate_environmental_protection/climate-and-environmental-protection.jsp>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170425/81637304/attachment-0001.html>

More information about the Owasp-topten mailing list