[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Edwin Gozeling e.gozeling+owasp at itsec.nl
Fri May 12 09:18:02 UTC 2017


Hi Dave,

I opted for 'anomaly' as repeated occurrence of anomalies could be an
indication of ongoing reconnaissance. If you want to focus more on the
attack aspect, I would suggest something in the line of:

	missing reconnaissance countermeasures

In my opinion, such title would have limited overlap with the rest of
the Top 10 and leave (prevention of) exploitable conditions to the other
items.


On 30-4-2017 8:15, Paweł Krawczyk wrote:
> On 04/26/2017 08:09 AM, Christian Folini wrote:.
>> Very often, new ideas face fierce opposition first. The question is
>> if they can stand the test of time.
>>
> Hi Christian,
> 
> The controversy about A7 is not about wording or it being a new idea.
> The controversy is about A7 being an outlier withing the Top10 taxonomy
> and, more generally, about the alleged usage of Top10 as a sales
> platform,  which inevitably leads to OWASP as a whole (!) losing
> credibility as an independent organisation. Just read through these:
> 
> https://twitter.com/hashtag/BuyYourOwnA7?src=hash
> 
> The problem with taxonomy is obviously visible if you compare what A7 is
> as compared to any other Top10 items - these are all serious
> vulnerabilities whose presence in a web app create an immediate and
> exploitable threat. A7 on the other hand is *lack of a safeguard* which
> is a completely different category and level of risk - it's not a
> vulnerability per se, it's just a weak second line of defence *if and
> only if real vulnerabilities are present in the app*. The #BuyYourOwnA7
> tweets are ridiculing this very much to the point.
> 
> A7 would make perfect sense in the OWASP Developers Guide or OWASP
> Cheat-sheets or in a hypothetical Top 10 web app controls, but it's
> being pushed into the "Top 10 Most Critical Web Application Security
> Risks" which wrong from from taxonomy point of view and controversial
> due to Top10's marketing potential and past attempts to ride on it.
> 
> 
> 
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
> 


More information about the Owasp-topten mailing list