[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Christian Folini christian.folini at netnea.com
Sun Apr 30 19:52:31 UTC 2017

Hi Paweł,

Thank you for taking this up again.

On Sun, Apr 30, 2017 at 07:15:38AM +0100, Paweł Krawczyk wrote:
> On 04/26/2017 08:09 AM, Christian Folini wrote:.
> > Very often, new ideas face fierce opposition first. The question is
> > if they can stand the test of time.
> The controversy about A7 is not about wording or it being a new idea.
> The controversy is about A7 being an outlier withing the Top10 taxonomy

It is obvious that A7 is an outlier from a taxonomy standpoint.
But I do not see Top10 as a taxonomy project. For me it is more
a tool to talk about weaknesses and risks with people that are not
necessarily techies.

You could argue that Top10 needs to define what it wants to be
before the existing stricter taxonomy is put aside, though.
Personally, I do not have an opinion on that.

> and, more generally, about the alleged usage of Top10 as a sales
> platform,  which inevitably leads to OWASP as a whole (!) losing
> credibility as an independent organisation. 

"Sales platform" and "inevitably losing credibility" sounds a lot like 
the accusations against some OWASP leaders from ten years ago when I
first got involved. Maybe yes, maybe not. I am working mostly in 
Switzerland and the names you guys associate with that alleged
behaviour are not really present around here. But I can assure you
that my entire commercial competition is using OWASP Top Ten whenever
they open their mouth. They re-shape their offerings to fit into
OWASP taxonomies and projects etc.

What annoys me more than that behaviour is the lack of open source
competition. My niche is ModSecurity and I really wish I could
compete with other open source offerings in the vicinity of A7.
But there are only commercial offerings (at least in my competition).
There is a real need in this regard I think.

> is a completely different category and level of risk - it's not a
> vulnerability per se, it's just a weak second line of defence *if and
> only if real vulnerabilities are present in the app*.

I think this distinction is just ridiculous when we leave the domain of
sophisticated discourse and enter the real world.  I am running some
research together with Damiano Esposito from Zurich University of
Applied Sciences. We are testing the effectiveness of the OWASP
ModSecurity Core Rule Set against a variety of security scanners (Burp,
Zap, Arachni etc.) Our Burp run consists is 2.5M of requests.  A
standard web application without a protection as defined in A7 will
simply let Burp carry out its tests. 2.5M attack attempts.  And your
argumentation says this is not a problem in itself and only becomes one
if real vulnerabilities are present in the app.  As if vulnerabilities
in apps were a rare and exotic occurrence.

This is like a bank with dozens of robbers attempting to drill
through the wall and the bank does not call the police because 
technically this is not a vulnerability in itself, it only becomes a 
problem if the wall has a weak spot. Sounds crazy in my ears.

No: Letting Burp perform 2.5M requests will turn up something. And
that's sure like the amen in church. Stopping the scan is a means of

(In case anybody is interested in that security scanner / Core Rule Set
research, then attend my talk at AppSecEU in Belfast, where I will
present some of the results during my CRS intro talk.)



mailto:christian.folini at netnea.com
twitter: @ChrFolini

More information about the Owasp-topten mailing list