[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Christian Folini christian.folini at netnea.com
Tue Apr 25 10:13:23 UTC 2017


James,

On Tue, Apr 25, 2017 at 10:36:01AM +0100, James Kettle wrote:
> I've written up the rather depressing conclusion I came to regarding the
> introduction of A7 'Insufficient Attack Protection' over at
> http://www.skeletonscribe.net/2017/04/abusing-owasp.html

I've read your post last night and I share your impression that the
conclusion is rather depressing. I also find your argumentation
rather depressing.

> I'd particularly like to draw attention to Eduardo's insightful comment:
> 
> Here is the net negative from "automatic protection" or pretty much just
> > any WAF. They make finding the vulnerabilities harder for the good guys.

Yes, protection generally prevents the good guys from finding
vulnerabilities. I am sure Anti-CSRF tokens make it a lot harder
for pentesters to report CSRF vulnerabilities. White-Hat hackers
market themselves as the guys that look at security with the
eyes of an attacker. Yet you want easy access to the vulnerabilities
and you do not mind leaving the door open for the bad guys as well.

I read this clearly as an argument of an industry that defends its
business case. You then continue to accuse OWASP TopTen / Contrast /
Aspect and ultimately Dave himself (without naming him) of pushing
a different agenda. The jump from "do not make the life of pentesters
more difficult" to "Let's not allow solution providers have a stake in 
this" has an almost cynical feel to it for me.

When I woke up today, I returned to your article and got the idea that
white-hackers seem to have a business interest in imperfect security
solutions. Layered security, defense in depth, anti-automation are all
concepts that prevent them from finding highly critical vulnerabilities
quickly.

>From a defender's perspective, these are proven concepts that are
underrepresented in Top10 so far. That's why I think A7 is a welcome
addition.

And I do not care of some adhoc poll dubs me belonging into a minority.
New ideas are not accepted by a majority from the start. They take
time to develop. I am confident this will happen here as well.

Regards,

Christian Folini

-- 
There has grown in the minds of certain groups in this country the
idea that just because a man or corporation has made a profit out of the
public for a number of years, the government and the courts are charged
with guaranteeing such a profit in the future, even in the face of
changing circumstances and contrary to public interest. This strange
doctrine is supported by neither statute or common law. Neither
corporations or individuals have the right to come into court and ask
that the clock of history be stopped, or turned back.
--- Robert Heinlein, Life-Line, 1939


More information about the Owasp-topten mailing list