[Committees-chairs] Fwd: Invitation to Contribute: CWE/SANS 2011 Top 25 Most Dangerous Software Errors
tomb at owasp.org
Sun Mar 13 11:54:17 EDT 2011
Industry/Projects appears to be primary here; however this effort would help align both owasp committees and community efforts globally.
OWASP may not globally agree with everything as this is a MITRE effort however being asked to the dance is very positive in the big picture and requires the committee chairs to review, inform teams and collaborate on a collective response as a organization.
Please determine what interest your committee teams have by March 24th ring me with discussion 9732020122
Begin forwarded message:
> From: "Martin, Robert A." <ramartin at mitre.org>
> Date: March 13, 2011 10:07:40 AM EDT
> To: Tom Brennan - OWASP <tomb at owasp.org>
> Cc: Common Weakness Enumeration-CWE <cwe at mitre.org>
> Subject: Invitation to Contribute: CWE/SANS 2011 Top 25 Most Dangerous Software Errors
> The MITRE Corporation and the SANS Institute are beginning the
> groundwork for the 2011 Top 25 Most Dangerous Software Errors. We
> will be building on the successes of the 2009 and 2010 versions of
> the Top 25.
> You are invited to participate in this year's effort. The process
> will be similar to last year's, but there will be some important
> 1) Like previous years, we will develop a draft list of weaknesses
> based on community input, which we will then propose to Top 25
> 2) We will get feedback from contributors, probably in the form of
> voting/surveys, to help us decide which items should go onto the
> master Top 25 list. The 2010 process had some voting restrictions
> that will be lifted this year.
> 3) Last year's Top 25 included "focus profiles," which were customized
> prioritizations of weaknesses based on more narrowly-defined
> scenarios. We have since expanded this concept to formalize
> "vignettes," which are a critical component of the Common Weakness
> Scoring System (CWSS), which is being developed in parallel.
> For more details, see CWSS version 0.3, which was recently
> 4) We are likely to make some modifications to last year's scoring
> metric, which was based primarily on qualitative assessments of
> prevalence and importance. We will rely heavily on community
> feedback to make these changes.
> For the prevalence factor, we might use a continuous numeric scale,
> instead of a discrete set of 4 possible values. For the importance
> factor, we plan to leverage the "Technical Impacts" attributes
> within CWE data, and map these to vignette-specific priorities that
> interpret the technical impacts in light of business
> considerations. We intend to define multiple vignettes, primarily
> within the scope of CWSS development.
> We will also consider adding other factors, such as likelihood of
> exploit. We will try to use quantitative measurements whenever
> For inclusion on the final "master" Top 25 list, we intend to score
> weaknesses based on a combined score from multiple vignettes.
> 5) We do not have any fixed dates for release of the 2011 Top 25 at
> this point, since there are several moving pieces (such as CWSS
> development). As with past efforts, however, we estimate that this
> effort may take 2 to 3 months.
> If you are interested in participating, you could help us with one or
> more of the following activities:
> * Let us know whether you want to contribute through a discussion list
> (which will not be publicly archived) or privately to us.
> * Propose additional weaknesses for the Nominee List that you think
> might be important enough for inclusion on the new Top 25. (Assume
> that the 2010 Top 25, and its "Cusp" items, are already covered; see
> * Contribute to the development of specific CWSS vignettes,
> archetypes, and/or business value context. Example business domains
> include (but are not limited to) Banking & Finance, E-Commerce,
> Emergency Management, Energy, Avionics, Chemical, Manufacturing,
> Public Health, e-Voting, etc. Your input would also be valuable if
> you have expertise in the use of particular groups of related
> technologies that cross a variety of domains, such as web,
> industrial/process control systems, embedded systems/devices, cloud
> computing, general-purpose or real-time OSes, mobile apps,
> enterprise desktop apps, etc.
> * Help us to refine this year's voting/survey process, by giving
> feedback on proposed metrics for ranking the Top 25, and by voting
> on CWEs once the voting stage begins.
> We thank you ahead of time for any support you can give. As a
> reminder, please let us know whether you want to be added to the
> mailing list, and please give us your thoughts on how you would like
> to contribute.
> Thank you,
> Steve Christey, MITRE
> Bob Martin, MITRE
> Dennis Kirby, SANS
> Mason Brown, SANS
> Alan Paller, SANS
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Committees-chairs