I am predicting a step change. Recently I have seen a new approach to cyber security and it comes from a very credible source, The Open Web Application Security Project (OWASP). In their own words

“OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.”

One task they undertake is to benchmark a “Top Ten” of application vulnerabilities. They have been doing this since December 2001. They have just published a new list in March 2017 and whilst this is still in the Request for Comments (RFC) it has one notable new addition not seen before. It comes in at number 7 and is:

Insufficient Attack Protection

Again in their own words:

"Detecting, responding to, and blocking attacks makes applications dramatically harder to exploit yet almost no applications or APIs have such protection……"

"It should be very obvious if attack detection and response isn’t in place. Simply try manual attacks or run a scanner against the application. The application or API should identify the attacks, block any viable attacks, and provide details on the attacker and characteristics of the attack…"

This is a radical change. For the first time applications and API’s will be judged on their ability to detect and protect themselves against attack. This will have a major impact on the design and development of applications. Programmers and developers will now put cyber security issues into the design and development stage. This has been advocated for sometime but having OWASP rank a lack of protection as a serious vulnerability will bring this to the forefront for everyone.

As developers begin to include this protection we will be able to gather data on who is attacking us and if we can find a way to share this data our collective threat intelligence will grow and becomes so much more effective. I am very pleased to see this new development and I am sure it will be a good thing for cyber security and provide better protection for us all.