OWASP Top 10 - 2017 RC1: A7 [Insufficient Attack Protection] (+T10)

[sslHello]

I'd like to suggest to

• rename A7 to

  • 'Insufficient Preparation for Attacks'
  • or 'Insufficient Defense Preparation'
  • or 'Lack of/Insufficient Defense Capabilities' (added later)
  • (Background: it should be short, but it should be also clear that it is seen from the defending side...)

• And it should be focussing on more aspects of preparing for attacks:

  • Defense in Depth (more than one security control supporting each other)
  • security architecture (network zones, DMZ(s) with multiple stages)
  • Distributed Deny of Service Mitigation
  • meaningful logging messages, detect unexpected conditions early in the code and generate appropriate logging messages and security alerts
  • Web Application Firewall (proactive filter, but even more as opportunity to compile a fast work around)

• [Am I Vulnerable to Attack?] should be changed to:

  • If you are not prepared for attacks or worse if you negate being a potentially target.
  • If you have not compiled an overall security architecture that includes all involved components. This components include all OSI layers from application until network and even physical security.
  • If you don’t try to see your application from the attackers side.
  • If you are not prepared to destructive attacks, e.g. (distributed) deny of service attacks.
  • If you aren’t able to detect attacks.
  • If you don’t define nor test you processes for Cyber Emergencies.
  • If you solely rely on automatic detection and prevention systems or web application filters.

• [How Do I Prevent This?]

  • There are four primary goals for sufficient preparation:
  • (1) Defense in Depth: Implemented more than one security control supporting each other. E.g. deploy secure code, but also use technologies like Web Application Firewalls (WAFs) to prevent some kinds of attacks.
  • (2) A strong application architecture that provides effective, secure separation between components and tenants.
  • (3) Detect Attacks: Detect unexpected conditions early in the code and generate appropriate logging messages and security alerts. Correlate the logging of all involved components.
  • (4) Respond to Attacks: Attacks may be critical to timely reaction. Decide by kind and severity whether to respond automatically (e.g. through OWASP AppSensor) or manually, e.g. develop temporary virtual patches using a WAF.

• [Example Attack Scenarios]

  • should be broadened, too (TBD), e.g. DDOS

• The summary at T10 could be broadened to something like:

  • The majority of applications are not prepared for attacks some even negate being a potentially target. The preparation starts best while designing the application adding defense in depth capacities (more than one security control supporting each other). There should be the ability to detect, prevent, and respond to both manual and automated attacks.

I've checked that the suggestet content fits into the .pptx of RC1: see the PDFs (suggestions for T10 are related to A7):

• A7: OWASP Top 10 - 2017 RC1 Feedback Torsten_ A7-Insufficient Attack Protection.pdf
• T10: OWASP Top 10 - 2017 RC1 Feedback Torsten_ T10-OWASP Top 10 Application Security Risks – 2017.pdf

Cheers Torsten Gigler

[sslHello]

Add references to #60, #57, #56, #55, #52, #50, #47, #45, #44, #41, #40, #37, #36, #32, #26, #24, #22, #15, #4

[sslHello]

Added above 'Lack of/Insufficient Defense Capabilities' as 3rd suggestion for a new name

[vanderaj]

This risk is going to be removed as per community feedback at the Project Summit, survey data and revised data call. Thank you for your input on this matter.