A little while ago, I was thoroughly sick of the usual attack attack attack gumpf, and decided to put up a competition for Top 10 defenses.
Looking back at it, attacking the attackers is not a winning strategy. It’s a fact of human nature that it’s better to be a hot firefighter putting out a fire that costs a million bucks to put right than to be the materials engineer who designs cheap fireproof cladding. I’m burying the hatchet as I burnt a fair bit of goodwill in my original announcement, which not my intention at all. We still need folks to break stuff and disprove snake oil, so there’s a place for the dark side whether I agree with the focus on the dark side or not.
Just two nominations made Andrew sad despite the worthiness of the submissions.
- Rob Lewis nominated Trustifier http://trustifier.com/ryu/features.html
- I nominated Josh Zlatin, a colleague for the work he has done on PureWAF, extensions for the OWASP Core Rule Set + Mod Security. You can see the results of PureWAF on Pure Hacking’s website, which is behind our WAF in the cloud service. That’s not an invitation to attack us, just sayin’
Please discuss or vote in the comments section for who you think should get the non-existant gong.
The Sorta Inaugural 2011 Pure Hacking Top Web App Sec Defenses Competition
There’s a couple of changes. Pure Hacking will be sponsoring the competition in 2011. There will be categories, such as Life Time Achievement, Best Security Architecture, Best Left Field Idea, Best Secure Business Idea, Best Quick and Dirty Defense, Best Educator, and of course Best Defense. I will detail more about the categories as time goes on. I will be getting inappropriate statuettes made with engraving and everything. If you feel like you can donate something to boost the booty, contact me.
As for nominations, I will keep a running tally of awesomeness from my RSS feeds and other sources. You can nominate your favorite folks and defenses by e-mailing me – vanderaj ( at ) owasp.org. Come December 1, 2011, I’ll put them up for voting at which time I will disclose the prizes.
So far –
1. OWASP’s XSS roundtable at the OWASP Summit in Portugal is a worthy nominee. Let’s stamp out XSS.
2. I think Gunnar Peterson should get a Lifetime Prize just for being Gunnar. If more of us thought like Gunnar, the world would be a safer place and folks would be making a LOT more money than they do today.
Please keep this competition in mind throughout 2011.
6 thoughts on “Take Two on Top 10 2010 Security Defenses”
I am all in favour of this. I would have posted on the first post on this subject but I was actually busy and lacked time to respond properly. 🙁 Sorry.
In my experience, I have rarely found the need to develop stuff from scratch (blasphemer!). Typically there is a plethora of solutions out there to a myriad of problems – some technical, others not. I’ve used software to solve some problems, business practises for others.
OWASP has – and continues to be – my saviour on many levels. The real builders are the guys who continue to innovate and create or add to the projects. I must admit I wish I had time to contribute more to these projects (and probably will once I finish my degree). In that regard, I feel that I am poor excuse of a builder.
Henry Ford was once quoted at being able to solve any problem you put to him by his ability to summon the most qualified person to provide him with the answer. With the Internet at our disposal, we have a very similar, if not greater capability to leverage the knowledge of those who have come before us. We can re-use proven technologies and approaches to solving common problems as we do with cryptographic standards (admittedly most without the same rigor of peer review). If I find a tool that does 80%-90% of what I want it to do, I’d much prefer to work with that and fix it rather than reinvent the wheel.
This isn’t an excuse not to innovate – although it is more of a confession on my part. My point being is that builders, by virtue of what we do, have the luxury of being able to re-use more frequently.
Breakers do not. They MUST innovate to find new ways to counter what the builders conjure up. ESPECIALLY when an established mechanism is found and reused. Should a new attack method we have not forseen arise tomorrow, chances are that ESAPI will be affected. Then we must focus our defensive efforts where they will yield the most bang for buck.
This ramble has gone on WAY longer than I had intended but I really want to make the point that:
1) we must not be bound to technical solutions to problems alone.
OWASP has some brilliant foundational work already:
I think is one project that is still in its infancy, but probably an example of what I have found to be a much more powerful tool in many ways (the pen being mightier than the sword indeed).
2) and stress that innovation can be found through application of existing works. Yes, I can see that is a category already, but I think we all fail at times to see true genius at work infront of us.
Sorry for crapping on.
Thank you for the kind words. But if we wanted to make real money we should have got in the log management business 😛
The best defense is a really neat idea
I nominated OWASP AppSensor some time ago, but perhaps the email didn’t get through.
Sorry, no it didn’t get through. I will give Google Apps a rather good ferretting.
i didnt understand very well the topic,but anyway thank you for this competion,i know now!