A7 Seems out of place

[vanderaj]

• Insufficient Attack Protection (A7) seems out of place. Historically OWASP Top 10 is a tool for app developers and risk professionals. With possible exception of RASP, A7 appears more targeted at data center staff who do patching, OS hardening, firewall rules, monitoring, etc. Those activities are important but organizations outside OWASP already address them.

Furthermore A7 stands out from rest of the list as more a solution than a vulnerability. If retained in the Top 10, we recommend restating it as a threat or vulnerability, e.g., “Undetected reconnaissance or probing.”

19. Mike McCormick

[itscooper]

Historically OWASP Top 10 is a tool for app developers and risk professionals

We discussed the 'target' of the OWASP Top Ten at the Summit today. We established that the OWASP Top Ten has always been a very general project that targets the whole AppSec community, and even more so in the last couple of iterations (where it became less vulnerability-focused and generalised towards risk). Whilst is has been organically well placed for certain people in certain roles (i.e. developers), I don't think that means we have to limit all future iterations to them.

For me A7 does feel different to the list items of previous iterations, but I think it reflects a key industry shift towards SecDevOps. This kind of issue is becoming more relevant for people involved in AppSec.

we recommend restating it as a threat or vulnerability, e.g., “Undetected reconnaissance or probing.”

There was a suggestion mentioned at the summit about changing it to "Insufficient Attack Detection and Prevention". I think there are multiple ways of titling any risk, and to me the best way for the OWASP Top Ten is whatever is easiest for the reader to consume. In this particular case, IMO the risk is best summarised as "Insufficient Attack Detection and Prevention" - I think that message is clear and it describes a risk in the form of a control that's lacking. I think trying to get into the semantics of aligning the language with the other items will result in something that's more difficult to understand.

[Neil-Smithline]

Related to https://github.com/OWASP/Top10/issues/60.

[taprootsec]

Thanks for the feedback on our comment. I don't love "Insufficient attack detection and prevention", only because it's so broad it essentially describes all ten vulns on the list, however I do prefer it to the current A7 title. At least it restates A7 in risk terminology instead of solution terminology.

[vanderaj]

This risk is going to be removed as per community feedback at the Project Summit, survey data and revised data call. Thank you for your input on this matter.