[GPC] Fwd: Invitation to Contribute: CWE/SANS 2011 Top 25 Most Dangerous Software Errors
jason.li at owasp.org
Mon Mar 14 17:40:48 EDT 2011
See below from Tom.
Probably makes sense to reach out to project leaders of the Top 10 guides
(various flavors) and/or the Dev/Code Review/Testing Guide teams.
---------- Forwarded message ----------
From: Tom Brennan <tomb at owasp.org>
Date: Sun, Mar 13, 2011 at 11:54 AM
Subject: Fwd: Invitation to Contribute: CWE/SANS 2011 Top 25 Most Dangerous
To: Joe Bernik <bernik at gmail.com>, Jason Li <jason.li at owasp.org>
Cc: Owasp Committ Chairs <committees-chairs at lists.owasp.org>, owasp-leaders
<owasp-leaders at owasp.org>
Industry/Projects appears to be primary here; however this effort would help
align both owasp committees and community efforts globally.
OWASP may not globally agree with everything as this is a MITRE effort
however being asked to the dance is very positive in the big picture and
requires the committee chairs to review, inform teams and collaborate on a
collective response as a organization.
Please determine what interest your committee teams have by March 24th ring
me with discussion 9732020122
Begin forwarded message:
*From:* "Martin, Robert A." <ramartin at mitre.org>
*Date:* March 13, 2011 10:07:40 AM EDT
*To:* Tom Brennan - OWASP <tomb at owasp.org>
*Cc:* Common Weakness Enumeration-CWE <cwe at mitre.org>
*Subject:* *Invitation to Contribute: CWE/SANS 2011 Top 25 Most Dangerous
The MITRE Corporation and the SANS Institute are beginning the
groundwork for the 2011 Top 25 Most Dangerous Software Errors. We
will be building on the successes of the 2009 and 2010 versions of
the Top 25.
You are invited to participate in this year's effort. The process
will be similar to last year's, but there will be some important
1) Like previous years, we will develop a draft list of weaknesses
based on community input, which we will then propose to Top 25
2) We will get feedback from contributors, probably in the form of
voting/surveys, to help us decide which items should go onto the
master Top 25 list. The 2010 process had some voting restrictions
that will be lifted this year.
3) Last year's Top 25 included "focus profiles," which were customized
prioritizations of weaknesses based on more narrowly-defined
scenarios. We have since expanded this concept to formalize
"vignettes," which are a critical component of the Common Weakness
Scoring System (CWSS), which is being developed in parallel.
For more details, see CWSS version 0.3, which was recently
4) We are likely to make some modifications to last year's scoring
metric, which was based primarily on qualitative assessments of
prevalence and importance. We will rely heavily on community
feedback to make these changes.
For the prevalence factor, we might use a continuous numeric scale,
instead of a discrete set of 4 possible values. For the importance
factor, we plan to leverage the "Technical Impacts" attributes
within CWE data, and map these to vignette-specific priorities that
interpret the technical impacts in light of business
considerations. We intend to define multiple vignettes, primarily
within the scope of CWSS development.
We will also consider adding other factors, such as likelihood of
exploit. We will try to use quantitative measurements whenever
For inclusion on the final "master" Top 25 list, we intend to score
weaknesses based on a combined score from multiple vignettes.
5) We do not have any fixed dates for release of the 2011 Top 25 at
this point, since there are several moving pieces (such as CWSS
development). As with past efforts, however, we estimate that this
effort may take 2 to 3 months.
If you are interested in participating, you could help us with one or
more of the following activities:
* Let us know whether you want to contribute through a discussion list
(which will not be publicly archived) or privately to us.
* Propose additional weaknesses for the Nominee List that you think
might be important enough for inclusion on the new Top 25. (Assume
that the 2010 Top 25, and its "Cusp" items, are already covered; see
* Contribute to the development of specific CWSS vignettes,
archetypes, and/or business value context. Example business domains
include (but are not limited to) Banking & Finance, E-Commerce,
Emergency Management, Energy, Avionics, Chemical, Manufacturing,
Public Health, e-Voting, etc. Your input would also be valuable if
you have expertise in the use of particular groups of related
technologies that cross a variety of domains, such as web,
industrial/process control systems, embedded systems/devices, cloud
computing, general-purpose or real-time OSes, mobile apps,
enterprise desktop apps, etc.
* Help us to refine this year's voting/survey process, by giving
feedback on proposed metrics for ranking the Top 25, and by voting
on CWEs once the voting stage begins.
We thank you ahead of time for any support you can give. As a
reminder, please let us know whether you want to be added to the
mailing list, and please give us your thoughts on how you would like
Steve Christey, MITRE
Bob Martin, MITRE
Dennis Kirby, SANS
Mason Brown, SANS
Alan Paller, SANS
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Global-projects-committee