[Owasp-topten] Top 10 2007

Andrew van der Stock vanderaj at owasp.org
Sun Jun 25 09:37:00 EDT 2006 

Hi folks

As part of our OWASP Chapter Leads meeting held at Leuven, it was  
decided that the Top 10 was one of the projects to get an overhaul.  
As I have a day a week to help out on OWASP things, I'd like to kick  
things off again. I knew the list had some discussions a while ago  
(in late 2005), and potentially we could re-use some of that  
discussion to short circuit things.

As far as I'm aware, Jeff Williams is the Project Lead for the OWASP  
Top 10, and please do not misunderstand how I fit in - I am available  
as a part-time resource for this project due to my 1 day a week  
dedicated to OWASP matters. I see myself most likely helping out with  
a bit of project management to keep us on track / schedule, writing a  
bit here and there, and doing some research. Like all open source  
projects, we need volunteers to help creating the materials as well.

I feel the best way to go forward is to put forward a schedule with  
deliverable dates, and let's have a discussion around that. So here's  
my plan:

0) Approach. I personally think the Top 10 is an education piece.  
Most of the other Top X lists are about attacks and their  
countermeasures, so let's stick to that formula as folks are used to  
it. The current Top 10 consists of about 6 attacks and 4  
countermeasures as top level headings so is more like the Top 6 or 7  
than the Top 10. Let's have a good solid discussion about where this  
list would like to see the Top 10 go.

Who: All.
Completion date: 30 June

a) Research of what exactly are the 10 worst attacks for *web apps*  
in terms of frequency. I think we should put a few honorary items in  
because there is significant fraud / privacy risks arising from them.  
Our Top 10 should relate back to real world losses / damage - there's  
no point in including a highly technical attack which may be popular  
if it doesn't actually cause real harm to users. The focus on *web  
apps* also means that we do not need to include Buffer Overflows.  
That's the SANS Top 20's role, not OWASP.

Who: Small group of volunteers
Completion date: 30 July

b) Straw man Top 10 - headings only

Who: Small group of volunteers to prepare list
Approve: All.
Completion date: 15 August

c) If the material from the previous Top 10 and the new straw man  
overlap, re-use old material and update

Who: Small group of volunteers
Edit: Project Lead
Completion date: 30 August

d) If there is a new heading, write the new material - max 1 page per  
attack. All Top 10 items are now complete.

Who: Small group of volunteers
Edit: Project Lead
Completion date: 30 September

e) Frontispiece. I think it's essential that we do a "State of the  
Art" type of blurb, again fairly short at 1 page or so. In  
particular, we should be making absolutely clear that the Top 10 is  
an education piece, and how to proceed once the reader has adopted  
web application security in their hearts.

Who: Project Lead or volunteer
Edit: Volunteer or two
Approve: All.
Completion date: 15 October

f) References. Check and update all references.

Ensure that all references used in the preparation of this edition  
are accurate and properly cited, and if any of the previous edition  
are updated or removed as necessary.

Who: Project Lead or volunteer or two
Completion date: 30 October

g) Presentation for OWASP Chapters

As an education piece, I really think a clear presentation on the  
revised Top 10 and given to all chapters to give freely at their  
meetings will really help get our message out.

Who: Probably me, but volunteers taken
Approve: All
Completion Date: December 31

h) Peer review and public comment

We now have some serious adopters of the Top 10, such as PCI, so we  
will need to ensure that we have their input after we've made the  
changes.

Who: Public and concerned users
Approve changes: Project Lead
Start date: 15 October for early access, 1 November for "release  
candidate" in English
Completion date: 1 December

i) Text available for translation

Provide the release candidate material to translators.

Who: Translators
Start date: 15 October, but will require updates if the text changes  
due to public comments
Completion date: 1 January

i) Release.

We need a press release, and someone able to do media.

The period between the end of public comments and the release day is  
to enable us to edit and include any changes necessary - which is  
necessarily a bit longer than I think it will actually take, but is  
necessary due to the time of the year.

Who: Project Lead
Approve changes: All
Completion date: January 1, 2007. We can slip until January 27, 2007.

Who else can dedicate time for this? Thoughts?

thanks,
Andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2458 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-topten/attachments/20060625/3f6b049c/attachment.bin

More information about the Owasp-topten mailing list