[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Jason White jason.white at owasp.org
Tue Apr 25 15:56:41 UTC 2017

First, thanks to all who contribute their time and energy to the Top 10 and OWASP in general ... and to Dave & Jeff for their contributions over many years.

As to this issue at hand, I can't disagree with the questionable appearance of independence as cited in James Kettle's blog. However, I also don't want to jump to any conclusion. To that end, I'd like to see, hear more about the data/process behind 'Insufficient Attack Protection' debuting on the Top 10 list (and why at #7?).  I think most folks that are concerned, are concerned with the transparency and independence than whether not we need more protection and detection in web apps (but I could be wrong there). 

As a data example, my company's plain 'www' website sees 30% or more of it's traffic as automated scans/probes (at least we detect that 30% + of the traffic is that way). We submitted data about security assessments we performed, but did not submit this issue of 30%+  as part of the data call. Nor did we submit how many apps assessed used WAF, RASP, AppSensor etc.  So then, how was the 'lack of' calculated or determined to debut on the Top 10?

As for the CSRF example below, CSRF is a fundamental issue inherent in HTTP. It's HTTP working as designed, but can be abused.  This is true of many security vulnerabilities that we face ... developers are starting off handicapped. I'll avoid tangenting off here, but the point is (IMO) that lack of specific/positive CSRF protection is in itself a vulnerability. So yes, we can argue that 'lack of protection' == 'risk' (or at least vulnerability) in many cases. On that basis, there is grounds for citing 'lack of protection' as a risk. For that matter though (and due to the handicap that HTTP starts us off with) ... that could describe almost any vulnerability. In the end, I think A7 (assuming it stays) would be better dressed/named as 'Lack of Defense in Depth' and have a wider net of defenses included in recommendations. I think protections such as CSP (to include reporting), HPKP (to include reporting), HSTS, proper CORS configuration and similar standards-based protections should get first billing. That, or this is something to be considered for the Top 10 proactive controls (which I hope we could use this Top 10 to get more development groups to look at).

Back to the data, we certainly could get data sites' usage of CSP, proper CORS, HSTS, etc, right? Some work has already been done in that direction (at least IIRC, on CSP and CORS), no?

My $0.02


> On Apr 25, 2017, at 6:13 AM, Christian Folini <christian.folini at netnea.com> wrote:
> James,
> On Tue, Apr 25, 2017 at 10:36:01AM +0100, James Kettle wrote:
>> I've written up the rather depressing conclusion I came to regarding the
>> introduction of A7 'Insufficient Attack Protection' over at
>> http://www.skeletonscribe.net/2017/04/abusing-owasp.html
> I've read your post last night and I share your impression that the
> conclusion is rather depressing. I also find your argumentation
> rather depressing.
>> I'd particularly like to draw attention to Eduardo's insightful comment:
>> Here is the net negative from "automatic protection" or pretty much just
>>> any WAF. They make finding the vulnerabilities harder for the good guys.
> Yes, protection generally prevents the good guys from finding
> vulnerabilities. I am sure Anti-CSRF tokens make it a lot harder
> for pentesters to report CSRF vulnerabilities. White-Hat hackers
> market themselves as the guys that look at security with the
> eyes of an attacker. Yet you want easy access to the vulnerabilities
> and you do not mind leaving the door open for the bad guys as well.
> I read this clearly as an argument of an industry that defends its
> business case. You then continue to accuse OWASP TopTen / Contrast /
> Aspect and ultimately Dave himself (without naming him) of pushing
> a different agenda. The jump from "do not make the life of pentesters
> more difficult" to "Let's not allow solution providers have a stake in 
> this" has an almost cynical feel to it for me.
> When I woke up today, I returned to your article and got the idea that
> white-hackers seem to have a business interest in imperfect security
> solutions. Layered security, defense in depth, anti-automation are all
> concepts that prevent them from finding highly critical vulnerabilities
> quickly.
> From a defender's perspective, these are proven concepts that are
> underrepresented in Top10 so far. That's why I think A7 is a welcome
> addition.
> And I do not care of some adhoc poll dubs me belonging into a minority.
> New ideas are not accepted by a majority from the start. They take
> time to develop. I am confident this will happen here as well.
> Regards,
> Christian Folini
> -- 
> There has grown in the minds of certain groups in this country the
> idea that just because a man or corporation has made a profit out of the
> public for a number of years, the government and the courts are charged
> with guaranteeing such a profit in the future, even in the face of
> changing circumstances and contrary to public interest. This strange
> doctrine is supported by neither statute or common law. Neither
> corporations or individuals have the right to come into court and ask
> that the clock of history be stopped, or turned back.
> --- Robert Heinlein, Life-Line, 1939
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

More information about the Owasp-topten mailing list