[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Christian Folini christian.folini at netnea.com
Mon May 1 17:11:53 UTC 2017


Pawel,

There seems to be some convergence in our positions and we might come
to a reasonable compromise position - whatever that would be. :)

But I think we have now exchanged all our arguments and I do not
want to bore the other list members continuing this thread.

Thank you for sharing your thoughts.

Cheers,

Christian

On Mon, May 01, 2017 at 09:19:14AM +0100, Paweł Krawczyk wrote:
> On 04/30/2017 08:52 PM, Christian Folini wrote:
> > No: Letting Burp perform 2.5M requests will turn up something. And
> > that's sure like the amen in church. Stopping the scan is a means of
> > protection.
> Hi Christian,
> 
> These are interesting arguments and I definitely do *recommend* my
> clients using Waratek, Contrast, mod_security  or network IPS in any
> case. However, I will reiterate that it's a *recommendation*, which the
> client can then take and apply risk analysis, balancing their risk
> profile and budget to come to a final decision.
> 
> And this is the right approach IMHO because application security process
> is not about "turning up something" but preventing application
> compromise. Burp is an automated scanner and you will always get
> something like "missing httpOnly flag on CSRF cookie" which definitely
> is "something" but is not necessarily an exploitable vulnerability but
> rather a desired feature of the anti-CSRF scheme, for example.
> 
> And the trick with Top 10 is that it's frequently used as a formal
> reference to software security policies, like "nothing with Top10 issues
> can go into production".  And this particular corporate usage pattern of
> Top10 is well known to both proposers of A7 as well as opponents, which
> is one of the main reasons for the controversy. Because it makes a lot
> of sense in case of XSS, SQLi, CSRF and other *exploitable
> vulnerabilities* but is an unjustified change in the paradigm as it
> comes to *security safeguards* that should be subject to risk analysis.
> As you don't really need RASP on an internal desk booking web
> application, which you still want to be free from any other Top10 issues.
> 
> 
> 
> -- 
> Paweł Krawczyk
> +44 7879 180015
> 
> 



> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten


-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini at netnea.com
twitter: @ChrFolini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170501/fcd6829f/attachment.pgp>


More information about the Owasp-topten mailing list