Contrast Security has addressed the recent backlash over section A7 of the OWASP Top 10 list for 2017. The company issued a statement on the matter after industry professionals suggested the A7 addition was an example of a vendor pushing their agenda on the OWASP Top 10 project.

The OWASP Top 10 for 2017 was released earlier this month in draft format, so some changes could take place before the final, official release.

However, when the public started looking at the draft, sections A7 and A10 stood out. Most of those commenting on the changes agree that A10 is a good addition, as API security is important these days, while dismissing A7 as a vendor pitch.

A7: Insufficient Attack Protection

According to Contrast Security, this new addition to the OWASP Top 10 means that applications will need to detect, prevent, and respond to both manual attacks, as well as automated ones. The idea is to remove, "invalid input" messages with actions, such as blocking the attempts and flagging the account in question.

As it happens, Contrast Security offers a product called Contrast Protect, which could deal with the situations covered by A7. In addition, Contrast Security was one of the vendors who made suggestions leading to the creation of A7 (the others were Shape Security and Network Test Labs Inc.). The outline of A7 even mentions Runtime Application Self Protection (RASP) directly, which is what Contrast Security offers.

The mention of RASP caught some flack as well, with many people referencing a Dark reading article from 2015 calling the solution a false sense of security.

An outline of some of the complaints against OWASP, the addition of A7, and Contrast Security can be viewed with just a few searches of social media, including Twitter, where most of the complaints originated (archive link).

Outside of Twitter, some professionals took to their personal blogs to offer their opinions on the matter.

"…addressing any other entry in the top 10 provides a clear net positive to a webapp’s security posture, whereas complying with A7 can easily cause a net harm. Complying with A7 makes it extremely awkward to run an accessible bug bounty program, since it will hinder researchers trying to help you out. It also increases your attack surface (much like antivirus software) and introduces the risk of denial of service attacks by spoofing attacks from other users…," wrote James Kettle on his blog, Skeleton Scribe.

On Medium, Josh Grossman, weighed in and noted that the latest draft of the OWASP Top 10 does not have the appearance of independence, and it isn't clear if it can demonstrate actual independence, due to the way the raw data is presented, as it isn't clear how that data resulted in the current list.

He also stressed that more companies need to be involved in contributing to efforts like the OWASP Top 10, noting that only eleven companies had "contributed the vast majority" of the data in this newest draft.

On the nVisium blog, the company posted their thoughts on the latest OWASP Top 10 draft, paying close attention to the raw data and what could be learned from it.

On the OWASP mailing list, comments on A7 were rather blunt, including one that it was "a solution looking for a problem, rather than a distinct development issue that programmers should become aware of."

Another email thread on the topic had those on both sides of the argument weighing in. The COO and co-founder of Aspect Security, Dave Wichers, also commented on the topic.

Considering all the comments, Salted Hash reached out to Contrast Security and asked them to comment on the situation. Jeff Williams, the company's CTO and co-founder offered a detailed response, which we have posted below, with no editing or corrections: