[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Edwin Gozeling e.gozeling+owasp at itsec.nl
Fri May 12 09:18:02 UTC 2017

Hi Dave,

I opted for 'anomaly' as repeated occurrence of anomalies could be an
indication of ongoing reconnaissance. If you want to focus more on the
attack aspect, I would suggest something in the line of:

	missing reconnaissance countermeasures

In my opinion, such title would have limited overlap with the rest of
the Top 10 and leave (prevention of) exploitable conditions to the other

On 30-4-2017 8:15, Paweł Krawczyk wrote:
> On 04/26/2017 08:09 AM, Christian Folini wrote:.
>> Very often, new ideas face fierce opposition first. The question is
>> if they can stand the test of time.
> Hi Christian,
> The controversy about A7 is not about wording or it being a new idea.
> The controversy is about A7 being an outlier withing the Top10 taxonomy
> and, more generally, about the alleged usage of Top10 as a sales
> platform,  which inevitably leads to OWASP as a whole (!) losing
> credibility as an independent organisation. Just read through these:
> https://twitter.com/hashtag/BuyYourOwnA7?src=hash
> The problem with taxonomy is obviously visible if you compare what A7 is
> as compared to any other Top10 items - these are all serious
> vulnerabilities whose presence in a web app create an immediate and
> exploitable threat. A7 on the other hand is *lack of a safeguard* which
> is a completely different category and level of risk - it's not a
> vulnerability per se, it's just a weak second line of defence *if and
> only if real vulnerabilities are present in the app*. The #BuyYourOwnA7
> tweets are ridiculing this very much to the point.
> A7 would make perfect sense in the OWASP Developers Guide or OWASP
> Cheat-sheets or in a hypothetical Top 10 web app controls, but it's
> being pushed into the "Top 10 Most Critical Web Application Security
> Risks" which wrong from from taxonomy point of view and controversial
> due to Top10's marketing potential and past attempts to ride on it.
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

More information about the Owasp-topten mailing list