[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Paweł Krawczyk pawel.krawczyk at hush.com
Mon May 1 08:19:14 UTC 2017

On 04/30/2017 08:52 PM, Christian Folini wrote:
> No: Letting Burp perform 2.5M requests will turn up something. And
> that's sure like the amen in church. Stopping the scan is a means of
> protection.
Hi Christian,

These are interesting arguments and I definitely do *recommend* my
clients using Waratek, Contrast, mod_security  or network IPS in any
case. However, I will reiterate that it's a *recommendation*, which the
client can then take and apply risk analysis, balancing their risk
profile and budget to come to a final decision.

And this is the right approach IMHO because application security process
is not about "turning up something" but preventing application
compromise. Burp is an automated scanner and you will always get
something like "missing httpOnly flag on CSRF cookie" which definitely
is "something" but is not necessarily an exploitable vulnerability but
rather a desired feature of the anti-CSRF scheme, for example.

And the trick with Top 10 is that it's frequently used as a formal
reference to software security policies, like "nothing with Top10 issues
can go into production".  And this particular corporate usage pattern of
Top10 is well known to both proposers of A7 as well as opponents, which
is one of the main reasons for the controversy. Because it makes a lot
of sense in case of XSS, SQLi, CSRF and other *exploitable
vulnerabilities* but is an unjustified change in the paradigm as it
comes to *security safeguards* that should be subject to risk analysis.
As you don't really need RASP on an internal desk booking web
application, which you still want to be free from any other Top10 issues.

Paweł Krawczyk
+44 7879 180015

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170501/3378d0b0/attachment.pgp>

More information about the Owasp-topten mailing list