[Owasp-topten] Comments on OWASP Top 10 2017 RC1

Mike McCormick mikemc at bitstream.net
Wed May 31 01:22:11 UTC 2017

Jeff, Dave, and OWASP community:


Thank you for this opportunity to offer feedback on Release Candidate 1 of
the 2017 OWASP Top 10 list.


The OWASP Top 10 list has grown into an important tool used by developers,
risk professionals, and others.  At Taproot Security we use it regularly to
assess and prioritize application security risks with our clients.  Much has
changed since the last update in 2013, so this work is welcome.



We will confine our RC1 comments to the two proposed additions, A7 and A10:


*	Insufficient Attack Protection (A7) seems out of place.
Historically OWASP Top 10 is a tool for app developers and risk
professionals.  With possible exception of RASP, A7 appears more targeted at
data center staff who do patching, OS hardening, firewall rules, monitoring,
etc.  Those activities are important but organizations outside OWASP already
address them.  


Furthermore A7 stands out from rest of the list as more a solution than a
vulnerability.  If retained in the Top 10, we recommend restating it as a
threat or vulnerability, e.g., "Undetected reconnaissance or probing."


*	Unprotected APIs (A10) is a welcome addition.  We encounter API
security issues regularly in our practice, and they seem to be increasing
due to rapid adoption of SOA, RIA, REST, microservices, and API commerce.  A
case could be made for moving it higher on the list (above CSRF); if not in
2017, then in the near future based on observed trends.


Regardless of whether it stays at the bottom of the list, we recommend
raising its impact to Severe based on the types of services and data that
organizations are exposing via APIs (payments, medical charts, social
network profiles, tax history, etc.).


Under "Am I Vulnerable to Attack?" it would be worth mentioning two very
common API authentication anti-patterns: a) Service account password passed
in message body, often insecurely stored on client (e.g., properties file);
b) weak mutual TLS where service provider accepts any certificate issued
form a trusted CA (instead of white-listing trusted client certs).



Feel free to follow up if you have questions about these comments.


Taproot Security is a private firm advising industry and government on
information security issues, policy, risk remediation, and incident
response.  Our clients include a global retailer, national financial
institution, cloud software provider, IT consulting firm, sustainability
firm, and federal regulator.  We also advised the White House, Federal
Reserve Bank, NIST, and other agencies during the Obama administration.


We wish to thank the OWASP volunteers who worked on this for your dedication
and effort.  We look forward to using the final 2017 list.


Regards, Mike

Taproot Security


Mike McCormick, CISSP

mike at taprootsecurity.com <mailto:mike at taprootsecurity.com>  

Founder & President

Taproot Security LLC

www.taprootsecurity.com <http://www.taprootsecurity.com/>  


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170530/b081e1bc/attachment.html>

More information about the Owasp-topten mailing list