[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Paweł Krawczyk pawel.krawczyk at hush.com
Sun Apr 30 06:15:38 UTC 2017

On 04/26/2017 08:09 AM, Christian Folini wrote:.
> Very often, new ideas face fierce opposition first. The question is
> if they can stand the test of time.
Hi Christian,

The controversy about A7 is not about wording or it being a new idea.
The controversy is about A7 being an outlier withing the Top10 taxonomy
and, more generally, about the alleged usage of Top10 as a sales
platform,  which inevitably leads to OWASP as a whole (!) losing
credibility as an independent organisation. Just read through these:


The problem with taxonomy is obviously visible if you compare what A7 is
as compared to any other Top10 items - these are all serious
vulnerabilities whose presence in a web app create an immediate and
exploitable threat. A7 on the other hand is *lack of a safeguard* which
is a completely different category and level of risk - it's not a
vulnerability per se, it's just a weak second line of defence *if and
only if real vulnerabilities are present in the app*. The #BuyYourOwnA7
tweets are ridiculing this very much to the point.

A7 would make perfect sense in the OWASP Developers Guide or OWASP
Cheat-sheets or in a hypothetical Top 10 web app controls, but it's
being pushed into the "Top 10 Most Critical Web Application Security
Risks" which wrong from from taxonomy point of view and controversial
due to Top10's marketing potential and past attempts to ride on it.

Paweł Krawczyk
+44 7879 180015

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170430/7bbe3c52/attachment.pgp>

More information about the Owasp-topten mailing list