OWASP Top Ten A7

Waratek joins with other OWASP members calling for entry A7 to be removed from the proposed 2017 update to the OWASP Top Ten Critical Web Application Risks. We believe A7 should be replaced with a definable security risk based on quantifiable data.

Even though we are a RASP provider and could presumably benefit from the addition of A7 – Insufficient Attack Protection – to the 2017 OWASP Top Ten, we do not support adding this provision for these reasons:

  1. The OWASP Top Ten’s utility and credibility are tied to the fact it is a list of known web application security risks. A lack of a particular product or process is not a vulnerability in the classic sense.
  2. There are other OWSAP projects and lists (the OWASP Top Ten Security Controls, for example) that are a more appropriate place to address the issues raised in A7. If a special project is needed, one can easily be formed.
  3. Even the appearance of a conflict of interest is a threat to the credibility of OWASP. In order to preserve the independent, fact-based nature of the Top Ten List, vendors should provide data and insight to a project team as appropriate, but no vendor should provide leadership if it appears to benefit them.

The security professionals who depend on OWASP to provide fact-based, credible guidance on where they should direct their limited resources and time deserve a better process and outcome.