[Owasp-topten] Owasp-topten Digest, Vol 85, Issue 10

Matt Tesauro matt.tesauro at owasp.org
Mon May 22 16:00:24 UTC 2017


+1,000 on this from Colin and TIn

Love to see other OWASP projects contribute to the Top 10 especially in
such a constructive way.

Cheers!

-- Matt Tesauro


On Mon, May 22, 2017 at 7:00 AM, <owasp-topten-request at lists.owasp.org>
wrote:

>
> Message: 1
> Date: Mon, 22 May 2017 11:54:05 +0100
> From: Colin Watson <colin.watson at owasp.org>
> To: Dave Wichers <dave.wichers at owasp.org>
> Cc: Tin Zaw <tin.zaw at owasp.org>, OWASP TopTen
>         <owasp-topten at lists.owasp.org>
> Subject: Re: [Owasp-topten] RC feedback - Missing "Lack of
>         anti-automation"
> Message-ID:
>         <CAAxdBB=3BFgnG8Kngp+Dy5pSYUn-ZuCTrnrUynSPR6jw+-9jLg at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Dave, and others
>
> Further to your request for assistance with making the text of A7 more
> inclusive of our project's automated threats, as well as all four of the
> issues you mentioned.
>
> We feel that including other risks in A7 as well as"Insufficient
> Anti-Automation", dilutes this common and usually easily exploitable risk.
> This increases confusion about how to address the various issues. However,
> for the purposes of this reply we will assume A7 will continue to be the
> stated small collection of different risks.
>
> We have not attempted to address anyone else's concerns with A7, but should
> note that our project is technology and vendor agnostic, and our suggested
> changes to the wording of A7 avoid the mention of specific technologies, or
> products, or services. We welcome the Top Ten project's attempt to raise
> awareness of automated threat weaknesses/vulnerabilities that often go
> un-mentioned, yet are of real concern and impact to application owners.
>
> *1. Full page text*
>
> We realise there are constraints on space, and therefore we have mocked up
> an updated page to ensure our suggested changes would fit in. Changes
> sections are marked in the colour magenta in the PNG at
> https://www.owasp.org/index.php/File:Owasp-a7-suggestions.png
>
> *2. Short description*
>
> The short description of A7 on page 7 of RC1 does not seem to include all
> the issues A7 is meant to include. It is currently "The majority of
> applications and APIs lack the basic ability to detect, prevent, and
> respond to both manual and automated attacks. Attack protection goes far
> beyond basic input validation and involves automatically detecting,
> logging, responding, and even blocking exploit attempts. Application owners
> also need to be able to deploy patches quickly to protect against
> attacks.". Based on your other emails to the Top Ten mailing list, our
> project believes it might be better as: "The majority of applications and
> APIs lack the basic ability to detect, prevent and respond to manual and
> automated attacks. This includes insufficient attack detection,
> insufficient attack response, insufficient countermeasures against
> automated threats, and insufficient ability to patch quickly."
>
> *3. Title*
>
> Whilst of course we would have liked to see "Insufficient Anti-Automation"
> as a single issue, we accept your project's desire to aggregate this with
> some other issues. We do not mind too much the name "Insufficient Attack
> Protection" but it may suggest to some it is more of an operational thing,
> rather than encompassing the many countermeasures that can be considered
> through the whole of the software development life cycle. Yes there are
> design flaws and implementation bugs in this item!  Our project has not
> been able to come up with a suggested better title that includes all the
> aspects to be considered. Most Top Ten issues are 3-4 words long, although
> we note that A1 is just "Injection". One suggestion - which we feel is weak
> - is simply to name A7 "Automation", but this is a poor munging together of
> meaning: a) Automated attacks and b) Automation of detection and response
> defenses [to both manual and automated attacks]. However, it does remove
> any other descriptive, and thus, judgemental words.
>
>
>
> Colin Watson and Tin Zaw
> on behalf of the OWASP Automated Threats to Web Applications project
> https://www.owasp.org/index.php/OWASP_Automated_Threats_
> to_Web_Applications
>
>
>
> On 14 April 2017 at 16:43, Colin Watson <colin.watson at owasp.org> wrote:
>
> >
> > On 13 April 2017 at 21:46, Dave Wichers <dave.wichers at owasp.org> wrote:
> >
> >> This absolutely does need to be part of A7
> >
> >
> > Ah good!
> >
> >
> >> Colin - help us figure out how to weave this in with the limited space
> >> that we have on that one page.
> >
> >
> > Will do, I'll put some suggestions together for your project's
> > consideration.
> >
> > Colin
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.owasp.org/pipermail/owasp-topten/
> attachments/20170522/707423e3/attachment-0001.html>
>
> ------------------------------
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
> End of Owasp-topten Digest, Vol 85, Issue 10
> ********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170522/443123e9/attachment-0001.html>


More information about the Owasp-topten mailing list