[GPC] Fwd: Invitation to Contribute: CWE/SANS 2011 Top 25 Most Dangerous Software Errors

Jason Li jason.li at owasp.org
Mon Mar 14 17:40:48 EDT 2011


See below from Tom.

Probably makes sense to reach out to project leaders of the Top 10 guides
(various flavors) and/or the Dev/Code Review/Testing Guide teams.

Other thoughts?


---------- Forwarded message ----------
From: Tom Brennan <tomb at owasp.org>
Date: Sun, Mar 13, 2011 at 11:54 AM
Subject: Fwd: Invitation to Contribute: CWE/SANS 2011 Top 25 Most Dangerous
Software Errors
To: Joe Bernik <bernik at gmail.com>, Jason Li <jason.li at owasp.org>
Cc: Owasp Committ Chairs <committees-chairs at lists.owasp.org>, owasp-leaders
<owasp-leaders at owasp.org>

Industry/Projects appears to be primary here; however this effort would help
align both owasp committees and community efforts globally.

OWASP may not globally agree with everything as this is a MITRE effort
however being asked to the dance is very positive in the big picture and
requires the committee chairs to review, inform teams and collaborate on a
collective response as a organization.

Please determine what interest your committee teams have by March 24th ring
me with discussion 9732020122

Begin forwarded message:

*From:* "Martin, Robert A." <ramartin at mitre.org>
*Date:* March 13, 2011 10:07:40 AM EDT
*To:* Tom Brennan - OWASP <tomb at owasp.org>
*Cc:* Common Weakness Enumeration-CWE <cwe at mitre.org>
*Subject:* *Invitation to Contribute: CWE/SANS 2011 Top 25 Most Dangerous
Software Errors*


The MITRE Corporation and the SANS Institute are beginning the
groundwork for the 2011 Top 25 Most Dangerous Software Errors.  We
will be building on the successes of the 2009 and 2010 versions of
the Top 25.

You are invited to participate in this year's effort.  The process
will be similar to last year's, but there will be some important

1) Like previous years, we will develop a draft list of weaknesses
  based on community input, which we will then propose to Top 25

2) We will get feedback from contributors, probably in the form of
  voting/surveys, to help us decide which items should go onto the
  master Top 25 list.  The 2010 process had some voting restrictions
   that will be lifted this year.

3) Last year's Top 25 included "focus profiles," which were customized
  prioritizations of weaknesses based on more narrowly-defined
   scenarios.  We have since expanded this concept to formalize
  "vignettes," which are a critical component of the Common Weakness
  Scoring System (CWSS), which is being developed in parallel.

  For more details, see CWSS version 0.3, which was recently


4) We are likely to make some modifications to last year's scoring
  metric, which was based primarily on qualitative assessments of
  prevalence and importance.  We will rely heavily on community
   feedback to make these changes.

  For the prevalence factor, we might use a continuous numeric scale,
  instead of a discrete set of 4 possible values.  For the importance
   factor, we plan to leverage the "Technical Impacts" attributes
  within CWE data, and map these to vignette-specific priorities that
  interpret the technical impacts in light of business
   considerations.  We intend to define multiple vignettes, primarily
  within the scope of CWSS development.

  We will also consider adding other factors, such as likelihood of
   exploit.  We will try to use quantitative measurements whenever

  For inclusion on the final "master" Top 25 list, we intend to score
   weaknesses based on a combined score from multiple vignettes.

5) We do not have any fixed dates for release of the 2011 Top 25 at
  this point, since there are several moving pieces (such as CWSS
   development).  As with past efforts, however, we estimate that this
  effort may take 2 to 3 months.

If you are interested in participating, you could help us with one or
more of the following activities:

* Let us know whether you want to contribute through a discussion list
 (which will not be publicly archived) or privately to us.

* Propose additional weaknesses for the Nominee List that you think
 might be important enough for inclusion on the new Top 25.  (Assume
 that the 2010 Top 25, and its "Cusp" items, are already covered; see

* Contribute to the development of specific CWSS vignettes,
 archetypes, and/or business value context.  Example business domains
 include (but are not limited to) Banking & Finance, E-Commerce,
  Emergency Management, Energy, Avionics, Chemical, Manufacturing,
 Public Health, e-Voting, etc.  Your input would also be valuable if
 you have expertise in the use of particular groups of related
  technologies that cross a variety of domains, such as web,
 industrial/process control systems, embedded systems/devices, cloud
 computing, general-purpose or real-time OSes, mobile apps,
  enterprise desktop apps, etc.

* Help us to refine this year's voting/survey process, by giving
 feedback on proposed metrics for ranking the Top 25, and by voting
  on CWEs once the voting stage begins.

We thank you ahead of time for any support you can give.  As a
reminder, please let us know whether you want to be added to the
mailing list, and please give us your thoughts on how you would like
to contribute.

Thank you,

Steve Christey, MITRE
Bob Martin, MITRE
Dennis Kirby, SANS
Mason Brown, SANS
Alan Paller, SANS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20110314/24b655d6/attachment.html 

More information about the Global-projects-committee mailing list