[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Paweł Krawczyk pawel.krawczyk at hush.com
Tue Apr 25 09:57:25 UTC 2017

On 04/25/2017 10:36 AM, James Kettle wrote:
> Hi all,
> I've written up the rather depressing conclusion I came to regarding
> the introduction of A7 'Insufficient Attack Protection' over
> at http://www.skeletonscribe.net/2017/04/abusing-owasp.html

Nothing new here, back in 2013  iteration we had a pentesting vendor
reshaping Top10 to fit their corporate benchmarks and client profiles
better with dubious and far-stretched arguments. There will be always
attempts to fine-tune popular standards and guidances to match vendor
policies but if everyone does that, we'll end up with yet another
useless implied product listing. There should be an open and transparent
discussion in the OWASP community to make sure the ranking is impartial.

As it comes to the actual A7 proposal, OWASP Top10 full name is "Top 10
Most Critical Web Application Security Risks" and everything except for
A7 are indeed exploitable vulnerabilities. A7 is not an exploitable
vulnerability but rather missing security control and as such it comes
from completely different world. As a both pentester but also recipient
of pentesting reports I definitely don't want to see 3rd party
pentesting companies start raising A7 as a vulnerability because it's
the same nonsense as "not disabling caching on all pages" reported as a
vulnerability based on vulnerability scanner warning without applying a
slightest risk analysis on what kind of page we're talking about.

My write-up on this report-everything-as-vulnerability trend from 2014

Paweł Krawczyk
+44 7879 180015

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170425/0d995175/attachment.pgp>

More information about the Owasp-topten mailing list