[Owasp-topten] Owasp-topten Digest, Vol 85, Issue 10

Martin Knobloch martin.knobloch at owasp.org
Mon May 22 18:51:08 UTC 2017


That is great indeed! This is what a community / OWASP is about, helping!

Cheers,
-martin

On Mon, May 22, 2017 at 6:00 PM, Matt Tesauro <matt.tesauro at owasp.org>
wrote:

> +1,000 on this from Colin and TIn
>
> Love to see other OWASP projects contribute to the Top 10 especially in
> such a constructive way.
>
> Cheers!
>
> -- Matt Tesauro
>
>
> On Mon, May 22, 2017 at 7:00 AM, <owasp-topten-request at lists.owasp.org>
> wrote:
>
>>
>> Message: 1
>> Date: Mon, 22 May 2017 11:54:05 +0100
>> From: Colin Watson <colin.watson at owasp.org>
>> To: Dave Wichers <dave.wichers at owasp.org>
>> Cc: Tin Zaw <tin.zaw at owasp.org>, OWASP TopTen
>>         <owasp-topten at lists.owasp.org>
>> Subject: Re: [Owasp-topten] RC feedback - Missing "Lack of
>>         anti-automation"
>> Message-ID:
>>         <CAAxdBB=3BFgnG8Kngp+Dy5pSYUn-ZuCTrnrUynSPR6jw+-9jLg at mail.gm
>> ail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Dave, and others
>>
>> Further to your request for assistance with making the text of A7 more
>> inclusive of our project's automated threats, as well as all four of the
>> issues you mentioned.
>>
>> We feel that including other risks in A7 as well as"Insufficient
>> Anti-Automation", dilutes this common and usually easily exploitable risk.
>> This increases confusion about how to address the various issues. However,
>> for the purposes of this reply we will assume A7 will continue to be the
>> stated small collection of different risks.
>>
>> We have not attempted to address anyone else's concerns with A7, but
>> should
>> note that our project is technology and vendor agnostic, and our suggested
>> changes to the wording of A7 avoid the mention of specific technologies,
>> or
>> products, or services. We welcome the Top Ten project's attempt to raise
>> awareness of automated threat weaknesses/vulnerabilities that often go
>> un-mentioned, yet are of real concern and impact to application owners.
>>
>> *1. Full page text*
>>
>> We realise there are constraints on space, and therefore we have mocked up
>> an updated page to ensure our suggested changes would fit in. Changes
>> sections are marked in the colour magenta in the PNG at
>> https://www.owasp.org/index.php/File:Owasp-a7-suggestions.png
>>
>> *2. Short description*
>>
>> The short description of A7 on page 7 of RC1 does not seem to include all
>> the issues A7 is meant to include. It is currently "The majority of
>> applications and APIs lack the basic ability to detect, prevent, and
>> respond to both manual and automated attacks. Attack protection goes far
>> beyond basic input validation and involves automatically detecting,
>> logging, responding, and even blocking exploit attempts. Application
>> owners
>> also need to be able to deploy patches quickly to protect against
>> attacks.". Based on your other emails to the Top Ten mailing list, our
>> project believes it might be better as: "The majority of applications and
>> APIs lack the basic ability to detect, prevent and respond to manual and
>> automated attacks. This includes insufficient attack detection,
>> insufficient attack response, insufficient countermeasures against
>> automated threats, and insufficient ability to patch quickly."
>>
>> *3. Title*
>>
>> Whilst of course we would have liked to see "Insufficient Anti-Automation"
>> as a single issue, we accept your project's desire to aggregate this with
>> some other issues. We do not mind too much the name "Insufficient Attack
>> Protection" but it may suggest to some it is more of an operational thing,
>> rather than encompassing the many countermeasures that can be considered
>> through the whole of the software development life cycle. Yes there are
>> design flaws and implementation bugs in this item!  Our project has not
>> been able to come up with a suggested better title that includes all the
>> aspects to be considered. Most Top Ten issues are 3-4 words long, although
>> we note that A1 is just "Injection". One suggestion - which we feel is
>> weak
>> - is simply to name A7 "Automation", but this is a poor munging together
>> of
>> meaning: a) Automated attacks and b) Automation of detection and response
>> defenses [to both manual and automated attacks]. However, it does remove
>> any other descriptive, and thus, judgemental words.
>>
>>
>>
>> Colin Watson and Tin Zaw
>> on behalf of the OWASP Automated Threats to Web Applications project
>> https://www.owasp.org/index.php/OWASP_Automated_Threats_to_
>> Web_Applications
>>
>>
>>
>> On 14 April 2017 at 16:43, Colin Watson <colin.watson at owasp.org> wrote:
>>
>> >
>> > On 13 April 2017 at 21:46, Dave Wichers <dave.wichers at owasp.org> wrote:
>> >
>> >> This absolutely does need to be part of A7
>> >
>> >
>> > Ah good!
>> >
>> >
>> >> Colin - help us figure out how to weave this in with the limited space
>> >> that we have on that one page.
>> >
>> >
>> > Will do, I'll put some suggestions together for your project's
>> > consideration.
>> >
>> > Colin
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/
>> 20170522/707423e3/attachment-0001.html>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>
>>
>> End of Owasp-topten Digest, Vol 85, Issue 10
>> ********************************************
>>
>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170522/8df41499/attachment.html>


More information about the Owasp-topten mailing list