[Owasp-topten] Top ten 2017 RC
e.gozeling+owasp at itsec.nl
Fri May 5 07:22:21 UTC 2017
thanks for the examples. I think that all of them relate to 'users'
acting in an uncommon or undesired way, such as:
- using UI items/functionality not visible to them
- using automated tools rather than a browser
- bypassing client-side restrictions (field lenghts etc)
- submitting payloads for (newly discovered or commonly known)
Basically, all of these are anomalies compared to regular application usage.
I think a title along the line of:
"Insufficient anomaly mitigation"
would suit the new category. In my opinion 'protection', as originally
proposed, could easily result in denial of service conditions as there
is a thin line between genuine user errors, and malicious activities.
On 4-5-2017 21:22, Dave Wichers wrote:
> A10 intentionally overlaps all of A1-A9, not just A7. The goal of A10 is
> to raise awareness that the proliferation of APIs need to be secure,
> just like the rest of the web application.
> Attack Detection & Response are indeed 2 aspects of providing Attack
> Protection. But we also feel that Attack Prevention (for example the old
> school three failed logins and your account is locked mechanism) or a
> 'new school?' if you submit a request that includes a menu choice not
> offered to you (several times??) we are going to lock your account (or
> log you out), is important too. You could certainly consider these
> 'responses' and so that would fit within your proposed title.
> But what if an app detects a set of attacks, and then deploys some kind
> of temporary defense to prevent that type of attack. Is that considered
> a 'response' too? Or if the developer identifies a flaw based on
> monitoring attacks and quickly deploys a fix. Is that a 'response'? I
> don't think most people would think so.
> That's why we are proposing the broader title 'Insufficient Attack
> Protection'. Others have tried to add clarity to this title as well, but
> have frequently ended up with a much longer title, which is problematic
> in a different way.
> Any other suggested titles? I'd definitely love to come up with a better
> one, because it apparently is confusing to some people. But I haven't
> been able to think of one.
More information about the Owasp-topten