[Committees-chairs] Fwd: Invitation to Contribute: CWE/SANS 2011 Top 25 Most Dangerous Software Errors

Tom Brennan tomb at owasp.org
Sun Mar 13 11:54:17 EDT 2011 

Industry/Projects appears to be primary here; however this effort would help align both owasp committees and community efforts globally.

OWASP may not globally agree with everything as this is a MITRE effort however being asked to the dance is very positive in the big picture and requires the committee chairs to review, inform teams and collaborate on a collective response as a organization.

Please determine what interest your committee teams have by March 24th ring me with discussion 9732020122




Begin forwarded message:

> From: "Martin, Robert A." <ramartin at mitre.org>
> Date: March 13, 2011 10:07:40 AM EDT
> To: Tom Brennan - OWASP <tomb at owasp.org>
> Cc: Common Weakness Enumeration-CWE <cwe at mitre.org>
> Subject: Invitation to Contribute: CWE/SANS 2011 Top 25 Most Dangerous Software Errors
> 

> Hello,
> 
> The MITRE Corporation and the SANS Institute are beginning the
> groundwork for the 2011 Top 25 Most Dangerous Software Errors.  We
> will be building on the successes of the 2009 and 2010 versions of
> the Top 25.
> 
> You are invited to participate in this year's effort.  The process
> will be similar to last year's, but there will be some important
> changes.
> 
> 1) Like previous years, we will develop a draft list of weaknesses
>   based on community input, which we will then propose to Top 25
>   contributors.
> 
> 2) We will get feedback from contributors, probably in the form of
>   voting/surveys, to help us decide which items should go onto the
>   master Top 25 list.  The 2010 process had some voting restrictions
>   that will be lifted this year.
> 
> 3) Last year's Top 25 included "focus profiles," which were customized
>   prioritizations of weaknesses based on more narrowly-defined
>   scenarios.  We have since expanded this concept to formalize
>   "vignettes," which are a critical component of the Common Weakness
>   Scoring System (CWSS), which is being developed in parallel.
> 
>   For more details, see CWSS version 0.3, which was recently
>   released:
> 
>     http://cwe.mitre.org/cwss/
> 
> 4) We are likely to make some modifications to last year's scoring
>   metric, which was based primarily on qualitative assessments of
>   prevalence and importance.  We will rely heavily on community
>   feedback to make these changes.
> 
>   For the prevalence factor, we might use a continuous numeric scale,
>   instead of a discrete set of 4 possible values.  For the importance
>   factor, we plan to leverage the "Technical Impacts" attributes
>   within CWE data, and map these to vignette-specific priorities that
>   interpret the technical impacts in light of business
>   considerations.  We intend to define multiple vignettes, primarily
>   within the scope of CWSS development.
> 
>   We will also consider adding other factors, such as likelihood of
>   exploit.  We will try to use quantitative measurements whenever
>   available.
> 
>   For inclusion on the final "master" Top 25 list, we intend to score
>   weaknesses based on a combined score from multiple vignettes.
> 
> 5) We do not have any fixed dates for release of the 2011 Top 25 at
>   this point, since there are several moving pieces (such as CWSS
>   development).  As with past efforts, however, we estimate that this
>   effort may take 2 to 3 months.
> 
> If you are interested in participating, you could help us with one or
> more of the following activities:
> 
> * Let us know whether you want to contribute through a discussion list
>  (which will not be publicly archived) or privately to us.
> 
> * Propose additional weaknesses for the Nominee List that you think
>  might be important enough for inclusion on the new Top 25.  (Assume
>  that the 2010 Top 25, and its "Cusp" items, are already covered; see
>  below.)
> 
> * Contribute to the development of specific CWSS vignettes,
>  archetypes, and/or business value context.  Example business domains
>  include (but are not limited to) Banking & Finance, E-Commerce,
>  Emergency Management, Energy, Avionics, Chemical, Manufacturing,
>  Public Health, e-Voting, etc.  Your input would also be valuable if
>  you have expertise in the use of particular groups of related
>  technologies that cross a variety of domains, such as web,
>  industrial/process control systems, embedded systems/devices, cloud
>  computing, general-purpose or real-time OSes, mobile apps,
>  enterprise desktop apps, etc.
> 
> * Help us to refine this year's voting/survey process, by giving
>  feedback on proposed metrics for ranking the Top 25, and by voting
>  on CWEs once the voting stage begins.
> 
> 
> We thank you ahead of time for any support you can give.  As a
> reminder, please let us know whether you want to be added to the
> mailing list, and please give us your thoughts on how you would like
> to contribute.
> 
> 
> Thank you,
> 
> Steve Christey, MITRE
> Bob Martin, MITRE
> Dennis Kirby, SANS
> Mason Brown, SANS
> Alan Paller, SANS
> .
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/committees-chairs/attachments/20110313/8dab75c7/attachment.html

More information about the Committees-chairs mailing list