I find the article very interesting, but I couldn’t help but notice that OWSAP has the same top ten for the past 5 years, as you can see in this article: https://owasp.org/www-project-top-ten/
I wonder why nobody tackles these issues as they’re known for quite some time now.
People do tackle these issues, especially at the web server and framework level. Thing is, there’s a lot of old software out there, and a lot of developer that have habits ingrained from before the web was a thing, and it’s not like 100% of all tutorials say “Oh, if you’re writing a webapp, watch the OWASP top 10”.
That ‘browse down’ idea sounds great, on paper. My biggest gripe with this type of writers/ papers is that they don’t seem based in reality.
If anyone here actually deploys at scale a VM solution like the one described, I’d love to hear more about it. Specifically, if in Windows for end-users, please elaborate on how that licensing pain plays out. In general, you’re doubling the amount of licensing for patching, AV, OS licensing. And your Admins will still browse out on the ‘secure’ system. Additionally, would you do this to devs, Tier II/ anyone that touches servers?
Again, I may be wrong, but this sounds like the wet dream of a professor that is out of touch with the state of the industry.
I had to laugh out loud. I’ve never even worked at a company that would’ve paid for a second system for any administrator to work on that was not “potentially contaminated” by browsing the web for normal work.