[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest
albinowax at gmail.com
Tue Apr 25 17:45:30 UTC 2017
Thanks for raising these points. I agree that my post is cynical and if it
wasn't for my prior experience with Contrast and OWASP Benchmark I'd have
kept quiet. I actually wrote the Benchmark half of that blog post ages ago,
but left it unpublished because Benchmark is relatively inconsequential and
throwing around accusations isn't something I'm keen to make a habit of.
The top 10 is far from inconsequential, so I felt that this time around it
was necessary to publish.
> I do not care of some adhoc poll dubs me belonging into a minority.
Good to hear, me neither. The poll is just there to prevent people claiming
I'm a crazy outlier and the only one who thinks this way.
> I am sure Anti-CSRF tokens make it a lot harder for pentesters to report
I don't think you've fully understood Eduardo's comment. CSRF tokens don't
make it harder to find the vulnerability, they remove the vulnerability.
This is a huge and extremely important difference.
> you want easy access to the vulnerabilities and you do not mind leaving
the door open for the bad guys as well.
As every pentester who has encountered a WAF knows, all WAFs tend to do is
slow down the process of finding and exploiting vulnerabilities. For a site
that's being audited via a pentest or bug bounty hunters, this leads to
vulnerabilities being missed and remaining unfixed. I should probably
restate that I'm not against WAFs/RASP in general, it's just that they have
significant disadvantages in some use cases which makes them stand out from
other recommendation in the top 10.
> Layered security, defense in depth, anti-automation are all concepts that
prevent them from finding highly critical vulnerabilities quickly.
You'll never see me objecting to defence in depth via actual exploit
mitigations like CSP, browser XSS filters, SRI, etc. That's because unlike
WAFs, they make the vulnerability harder to exploit rather than making it
harder to find. In fact, perhaps Poor Defence in Depth would make a good
replacement for A7 if you're determined to have something that isn't a
On Tue, Apr 25, 2017 at 11:13 AM, Christian Folini <
christian.folini at netnea.com> wrote:
> On Tue, Apr 25, 2017 at 10:36:01AM +0100, James Kettle wrote:
> > I've written up the rather depressing conclusion I came to regarding the
> > introduction of A7 'Insufficient Attack Protection' over at
> > http://www.skeletonscribe.net/2017/04/abusing-owasp.html
> I've read your post last night and I share your impression that the
> conclusion is rather depressing. I also find your argumentation
> rather depressing.
> > I'd particularly like to draw attention to Eduardo's insightful comment:
> > Here is the net negative from "automatic protection" or pretty much just
> > > any WAF. They make finding the vulnerabilities harder for the good
> Yes, protection generally prevents the good guys from finding
> vulnerabilities. I am sure Anti-CSRF tokens make it a lot harder
> for pentesters to report CSRF vulnerabilities. White-Hat hackers
> market themselves as the guys that look at security with the
> eyes of an attacker. Yet you want easy access to the vulnerabilities
> and you do not mind leaving the door open for the bad guys as well.
> I read this clearly as an argument of an industry that defends its
> business case. You then continue to accuse OWASP TopTen / Contrast /
> Aspect and ultimately Dave himself (without naming him) of pushing
> a different agenda. The jump from "do not make the life of pentesters
> more difficult" to "Let's not allow solution providers have a stake in
> this" has an almost cynical feel to it for me.
> When I woke up today, I returned to your article and got the idea that
> white-hackers seem to have a business interest in imperfect security
> solutions. Layered security, defense in depth, anti-automation are all
> concepts that prevent them from finding highly critical vulnerabilities
> From a defender's perspective, these are proven concepts that are
> underrepresented in Top10 so far. That's why I think A7 is a welcome
> And I do not care of some adhoc poll dubs me belonging into a minority.
> New ideas are not accepted by a majority from the start. They take
> time to develop. I am confident this will happen here as well.
> Christian Folini
> There has grown in the minds of certain groups in this country the
> idea that just because a man or corporation has made a profit out of the
> public for a number of years, the government and the courts are charged
> with guaranteeing such a profit in the future, even in the face of
> changing circumstances and contrary to public interest. This strange
> doctrine is supported by neither statute or common law. Neither
> corporations or individuals have the right to come into court and ask
> that the clock of history be stopped, or turned back.
> --- Robert Heinlein, Life-Line, 1939
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten