[Owasp-topten] Top ten 2017 RC

Paweł Krawczyk pawel.krawczyk at hush.com
Thu May 4 21:01:38 UTC 2017


On 05/04/2017 08:22 PM, Dave Wichers wrote:
> A10 intentionally overlaps all of A1-A9, not just A7. The goal of A10
> is to raise awareness that the proliferation of APIs need to be
> secure, just like the rest of the web application.
>
Dave, APIs have been in wide use for the last ~10 years and the only
place where they are being "proliferated" recently is the financial
sector with the advent of Payment Services Directive and APIs replacing
SFTP in B2B segment. But is OWASP Top10 targeted exclusively for this
sector?
>
> But what if an app detects a set of attacks, and then deploys some
> kind of temporary defense to prevent that type of attack. Is that
> considered a 'response' too?  Or if the developer identifies a flaw
> based on monitoring attacks and quickly deploys a fix. Is that a
> 'response'?  I don't think most people would think so.
The Twitter folk had more examples:

"insufficient oncall incident response staffing"
"Not running a bug bounty program"
"Insufficient Cyber Threat Attack Blink 3D Worldmap in the Office"
etc

I would simply aggregate these with "not sticking to ISO 27002", as it
includes personnel background checks, media sanitization, backups, BCP
and other useful safeguards.
>
> I'm all for a better, more clear, more obvious to more people what we
> mean title. But I think the title you have proposed does not cover
> everything we intend for this new category to cover.
I guess just "Not sticking to infosec best practices" would be slightly
closer to the truth while preserving the blessed vagueness. Effectively,
the whole Top10 could be replaced with just A10 and A7 without any loss
of information.

-- 
Paweł Krawczyk
+44 7879 180015

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170504/9ac63a85/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170504/9ac63a85/attachment.pgp>


More information about the Owasp-topten mailing list