Fetching contributors…
Cannot retrieve contributors at this time
66 lines (44 sloc) 2.69 KB
layout title type track technology related-to status when-day when-time location     organizers   participants outcomes
A7 - Insufficient Attack Protection
Owasp Top 10 2017
Dynamic Session
Dave Wichers,
Sebastien Deleersnyder, Jonas Vanalderweireldt

Based on analysis of more than 2.3 million vulnerabilities in more than 50,000 applications, the OWASP Top 10 2017 introduces two new categories: Insufficient Attack Protection and Underprotected APIs.

Since one of the basic security capabilities is being able to detect, prevent, and respond to manual and automated attacks, every modern application needs to have the ability to block these attacks. Thus, companies need to decide whether they want to be one of those organizations that put their business, employees, and their customers at risk with a code that has obvious vulnerabilities.


The OWASP Top 2017 introduces Insufficient Attack Protection as a new Top 10 category, and this Working Session will present an opportunity to challenge or support its addition to the new Top 10.

While the introduction of Underprotected APIs is considered by most as a good addition, Insufficient Attack Protection managed to generate a significant number of negative comments such as that A7 is just a WAF vendor pitch. While the same could have been said for 2FA when the security industry started pushing it, the idea behind A7 is much more than a sales pitch.

The idea behind A7 is the "Security-as-Code" principle meaning that security professionals should translate every security requirement, every threat model, and every security architecture into code that could be run during development, build, test, and deployment process.


  • Review data behind this new category
  • Review current description and text
  • What are the pros and cons of this category?
  • Is this category important enough to be added to the new Top 10?


This Working Session will decide whether the Underprotected APIs category will be added to the Top 10.


The target audience for this Working Session is:

  • Security professionals
  • AppSec teams
  • Tool vendors
  • Application developers
  • Application architects


Working materials

Draft proposal whether or not the Underprotected APIs category should be added to the Top 10.


... Add content ...