[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Rory McCune rory.mccune at owasp.org
Tue Apr 25 20:52:35 UTC 2017


Hi James,

On this point

>> Layered security, defense in depth, anti-automation are all concepts
that prevent them from finding highly critical vulnerabilities quickly.
>You'll never see me objecting to defence in depth via actual exploit
mitigations like CSP, browser XSS filters, SRI, etc. That's because unlike
WAFs, they make the vulnerability harder to exploit rather >than making it
harder to find. In fact, perhaps Poor Defence in Depth would make a good
replacement for A7 if you're determined to have something that isn't a
standalone risk.

I think that this is the key point around where people, rightly, have a
problem with the idea of an OWASP Top 10 item mandating WAFs.  Like you I
test through WAFs some times and they're generally just an annoyance which
take up time in a time-limited review.

However I think there's a big difference between promoting add-on
mechanisms for attack response and having applications themselves respond
to attacks (as exemplified by projects like OWASP AppSensor).  As I
commented on your blog post, I think that active defence for web
applications is a good idea and one that tragically few applications
actually implement.

Would you think that if A7 were more clearly to be targeted at in-built
Application self-defence (and not add-on mechanisms like WAFs) that it
would make a better addition to the top 10?

Cheers

Rory


On Tue, Apr 25, 2017 at 6:45 PM, James Kettle <albinowax at gmail.com> wrote:

> Hi Christian,
>
> Thanks for raising these points. I agree that my post is cynical and if it
> wasn't for my prior experience with Contrast and OWASP Benchmark I'd have
> kept quiet. I actually wrote the Benchmark half of that blog post ages ago,
> but left it unpublished because Benchmark is relatively inconsequential and
> throwing around accusations isn't something I'm keen to make a habit of.
> The top 10 is far from inconsequential, so I felt that this time around it
> was necessary to publish.
>
> > I do not care of some adhoc poll dubs me belonging into a minority.
> Good to hear, me neither. The poll is just there to prevent people
> claiming I'm a crazy outlier and the only one who thinks this way.
>
> > I am sure Anti-CSRF tokens make it a lot harder for pentesters to report
> CSRF vulnerabilities.
> I don't think you've fully understood Eduardo's comment. CSRF tokens don't
> make it harder to find the vulnerability, they remove the vulnerability.
> This is a huge and extremely important difference.
>
> > you want easy access to the vulnerabilities and you do not mind leaving
> the door open for the bad guys as well.
> As every pentester who has encountered a WAF knows, all WAFs tend to do is
> slow down the process of finding and exploiting vulnerabilities. For a site
> that's being audited via a pentest or bug bounty hunters, this leads to
> vulnerabilities being missed and remaining unfixed. I should probably
> restate that I'm not against WAFs/RASP in general, it's just that they have
> significant disadvantages in some use cases which makes them stand out from
> other recommendation in the top 10.
>
> > Layered security, defense in depth, anti-automation are all concepts
> that prevent them from finding highly critical vulnerabilities quickly.
> You'll never see me objecting to defence in depth via actual exploit
> mitigations like CSP, browser XSS filters, SRI, etc. That's because unlike
> WAFs, they make the vulnerability harder to exploit rather than making it
> harder to find. In fact, perhaps Poor Defence in Depth would make a good
> replacement for A7 if you're determined to have something that isn't a
> standalone risk.
>
> Cheers,
>
> James
>
> On Tue, Apr 25, 2017 at 11:13 AM, Christian Folini <
> christian.folini at netnea.com> wrote:
>
>> James,
>>
>> On Tue, Apr 25, 2017 at 10:36:01AM +0100, James Kettle wrote:
>> > I've written up the rather depressing conclusion I came to regarding the
>> > introduction of A7 'Insufficient Attack Protection' over at
>> > http://www.skeletonscribe.net/2017/04/abusing-owasp.html
>>
>> I've read your post last night and I share your impression that the
>> conclusion is rather depressing. I also find your argumentation
>> rather depressing.
>>
>> > I'd particularly like to draw attention to Eduardo's insightful comment:
>> >
>> > Here is the net negative from "automatic protection" or pretty much just
>> > > any WAF. They make finding the vulnerabilities harder for the good
>> guys.
>>
>> Yes, protection generally prevents the good guys from finding
>> vulnerabilities. I am sure Anti-CSRF tokens make it a lot harder
>> for pentesters to report CSRF vulnerabilities. White-Hat hackers
>> market themselves as the guys that look at security with the
>> eyes of an attacker. Yet you want easy access to the vulnerabilities
>> and you do not mind leaving the door open for the bad guys as well.
>>
>> I read this clearly as an argument of an industry that defends its
>> business case. You then continue to accuse OWASP TopTen / Contrast /
>> Aspect and ultimately Dave himself (without naming him) of pushing
>> a different agenda. The jump from "do not make the life of pentesters
>> more difficult" to "Let's not allow solution providers have a stake in
>> this" has an almost cynical feel to it for me.
>>
>> When I woke up today, I returned to your article and got the idea that
>> white-hackers seem to have a business interest in imperfect security
>> solutions. Layered security, defense in depth, anti-automation are all
>> concepts that prevent them from finding highly critical vulnerabilities
>> quickly.
>>
>> From a defender's perspective, these are proven concepts that are
>> underrepresented in Top10 so far. That's why I think A7 is a welcome
>> addition.
>>
>> And I do not care of some adhoc poll dubs me belonging into a minority.
>> New ideas are not accepted by a majority from the start. They take
>> time to develop. I am confident this will happen here as well.
>>
>> Regards,
>>
>> Christian Folini
>>
>> --
>> There has grown in the minds of certain groups in this country the
>> idea that just because a man or corporation has made a profit out of the
>> public for a number of years, the government and the courts are charged
>> with guaranteeing such a profit in the future, even in the face of
>> changing circumstances and contrary to public interest. This strange
>> doctrine is supported by neither statute or common law. Neither
>> corporations or individuals have the right to come into court and ask
>> that the clock of history be stopped, or turned back.
>> --- Robert Heinlein, Life-Line, 1939
>>
>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170425/550d1d2b/attachment.html>


More information about the Owasp-topten mailing list