[Owasp-topten] RC feedback - Missing "Lack of anti-automation"

Colin Watson colin.watson at owasp.org
Mon May 22 10:54:05 UTC 2017

Dave, and others

Further to your request for assistance with making the text of A7 more
inclusive of our project's automated threats, as well as all four of the
issues you mentioned.

We feel that including other risks in A7 as well as"Insufficient
Anti-Automation", dilutes this common and usually easily exploitable risk.
This increases confusion about how to address the various issues. However,
for the purposes of this reply we will assume A7 will continue to be the
stated small collection of different risks.

We have not attempted to address anyone else's concerns with A7, but should
note that our project is technology and vendor agnostic, and our suggested
changes to the wording of A7 avoid the mention of specific technologies, or
products, or services. We welcome the Top Ten project's attempt to raise
awareness of automated threat weaknesses/vulnerabilities that often go
un-mentioned, yet are of real concern and impact to application owners.

*1. Full page text*

We realise there are constraints on space, and therefore we have mocked up
an updated page to ensure our suggested changes would fit in. Changes
sections are marked in the colour magenta in the PNG at

*2. Short description*

The short description of A7 on page 7 of RC1 does not seem to include all
the issues A7 is meant to include. It is currently "The majority of
applications and APIs lack the basic ability to detect, prevent, and
respond to both manual and automated attacks. Attack protection goes far
beyond basic input validation and involves automatically detecting,
logging, responding, and even blocking exploit attempts. Application owners
also need to be able to deploy patches quickly to protect against
attacks.". Based on your other emails to the Top Ten mailing list, our
project believes it might be better as: "The majority of applications and
APIs lack the basic ability to detect, prevent and respond to manual and
automated attacks. This includes insufficient attack detection,
insufficient attack response, insufficient countermeasures against
automated threats, and insufficient ability to patch quickly."

*3. Title*

Whilst of course we would have liked to see "Insufficient Anti-Automation"
as a single issue, we accept your project's desire to aggregate this with
some other issues. We do not mind too much the name "Insufficient Attack
Protection" but it may suggest to some it is more of an operational thing,
rather than encompassing the many countermeasures that can be considered
through the whole of the software development life cycle. Yes there are
design flaws and implementation bugs in this item!  Our project has not
been able to come up with a suggested better title that includes all the
aspects to be considered. Most Top Ten issues are 3-4 words long, although
we note that A1 is just "Injection". One suggestion - which we feel is weak
- is simply to name A7 "Automation", but this is a poor munging together of
meaning: a) Automated attacks and b) Automation of detection and response
defenses [to both manual and automated attacks]. However, it does remove
any other descriptive, and thus, judgemental words.

Colin Watson and Tin Zaw
on behalf of the OWASP Automated Threats to Web Applications project

On 14 April 2017 at 16:43, Colin Watson <colin.watson at owasp.org> wrote:

> On 13 April 2017 at 21:46, Dave Wichers <dave.wichers at owasp.org> wrote:
>> This absolutely does need to be part of A7
> Ah good!
>> Colin - help us figure out how to weave this in with the limited space
>> that we have on that one page.
> Will do, I'll put some suggestions together for your project's
> consideration.
> Colin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170522/707423e3/attachment.html>

More information about the Owasp-topten mailing list