Closed vanderaj closed 7 years ago
I very much like the fact that A7 includes the detection and prevention of manual attacks as well. As a pentester, when I'm testing a network, I am regularly being called out and noticed during successful attacks because SecOps are getting alerts etc. This almost never happens when I successfully compromise web applications and APIs, and I think this is a major issue given that many organisations are shifting towards web-based technologies.
Although I completely understand the rationale of being more specific, I personally think that manual attack detection and prevention deserves more that being an honorable mention, and closely related enough that it makes sense to bundle.
This risk is going to be removed as per community feedback at the Project Summit, survey data and revised data call. Thank you for your input on this matter.
Further to your request for assistance with making the text of A7 more inclusive of our project's automated threats, as well as all four of the issues you mentioned. We feel that including other risks in A7 as well as"Insufficient Anti-Automation", dilutes this common and usually easily exploitable risk. This increases confusion about how to address the various issues. However, for the purposes of this reply we will assume A7 will continue to be the stated small collection of different risks. We have not attempted to address anyone else's concerns with A7, but should note that our project is technology and vendor agnostic, and our suggested changes to the wording of A7 avoid the mention of specific technologies, or products, or services. We welcome the Top Ten project's attempt to raise awareness of automated threat weaknesses/vulnerabilities that often go un-mentioned, yet are of real concern and impact to application owners.
Based on your other emails to the Top Ten mailing list, our project believes it might be better as: