[Owasp-topten] Top ten 2017 RC

Edwin Gozeling e.gozeling+owasp at itsec.nl
Fri May 5 07:22:21 UTC 2017

Hi Dave,

thanks for the examples. I think that all of them relate to 'users'
acting in an uncommon or undesired way, such as:
 - using UI items/functionality not visible to them
 - using automated tools rather than a browser
 - bypassing client-side restrictions (field lenghts etc)
 - submitting payloads for (newly discovered or commonly known)

Basically, all of these are anomalies compared to regular application usage.

I think a title along the line of:
 "Insufficient anomaly mitigation"

would suit the new category. In my opinion 'protection', as originally
proposed, could easily result in denial of service conditions as there
is a thin line between genuine user errors, and malicious activities.

On 4-5-2017 21:22, Dave Wichers wrote:
> A10 intentionally overlaps all of A1-A9, not just A7. The goal of A10 is
> to raise awareness that the proliferation of APIs need to be secure,
> just like the rest of the web application.
> Attack Detection & Response are indeed 2 aspects of providing Attack
> Protection. But we also feel that Attack Prevention (for example the old
> school three failed logins and your account is locked mechanism) or a
> 'new school?' if you submit a request that includes a menu choice not
> offered to you (several times??) we are going to lock your account (or
> log you out), is important too. You could certainly consider these
> 'responses' and so that would fit within your proposed title.
> But what if an app detects a set of attacks, and then deploys some kind
> of temporary defense to prevent that type of attack. Is that considered
> a 'response' too?  Or if the developer identifies a flaw based on
> monitoring attacks and quickly deploys a fix. Is that a 'response'?  I
> don't think most people would think so.
> That's why we are proposing the broader title 'Insufficient Attack
> Protection'. Others have tried to add clarity to this title as well, but
> have frequently ended up with a much longer title, which is problematic
> in a different way.
> Any other suggested titles? I'd definitely love to come up with a better
> one, because it apparently is confusing to some people. But I haven't
> been able to think of one.

More information about the Owasp-topten mailing list