[Owasp-board] OWASP Top 10 2007 RC 1

Dave Wichers dave.wichers at owasp.org
Fri Jan 26 22:50:17 UTC 2007


 Guys,

 

This is great work guys.

 

I spent most of the day finishing this up, and it's almost done. I also
ended up making a bunch of changes to the OWASP site to line things up a bit
with the references in this document.

 

Anyway. I think an hour or two of final touches from Andrew is all that's
necessary to get this done. I say Andrew because the biggest holes left are
in the PHP file include section, and some CVE entries that someone needs to
find (I'm hoping he's an expert at this). I also have 3-4 comments that I
think he can address easily.

 

Everything that needs work still is either marked in Yellow or has a
comment. Everything else is ready to go in my opinion.

 

Andrew, any chance you could knock this out over the weekend so its review
for review by Monday?

 

Thanks, Dave

 

p.s. I would also like to propose a Spring of Code project to line up the
proper depth of and organization of content for the OWASP Top 10 on the
OWASP site.  For some of the T10 topics, we have good stuff out on the wiki,
but for some we don't. We SHOULD have 4 articles on each of the Top 10
topics in the Wiki organized as described here:
http://www.owasp.org/index.php/SFA

 

I think a 'small' Spring of Code project could easily pull all this together
and maybe do a whole lot more.

 

  _____  

From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Thursday, January 18, 2007 1:02 PM
To: owasp-board at lists.owasp.org
Subject: Re: [Owasp-board] OWASP Top 10 2007 RC 1

Hi everyone,

 

I'm getting excited about this - a real improvement over previous versions.
I've updated these a lot (to the point where tracking was interfering with
editing a good bit).  There are still some things to fill in - many are
highlighted in yellow.  But I'm losing focus.

 

I like the schedule Dinis proposed, although I think we should play it by
ear to see if we need so many rounds.  Like software if we get to a release
candidate that proves stable, we should call it final and release.

 

--Jeff

 

  _____  

From: Dinis Cruz [mailto:dinis at ddplus.net] 
Sent: Thursday, January 18, 2007 7:23 AM
To: Andrew van der Stock
Cc: Andrew van der Stock; Dave Wichers; jeff.williams at owasp.org
Subject: Re: OWASP Top 10 2007 RC 1

 

Andrew are we set to go?

I want to include a reference to the Top 10 in this week's newsletter

Dinis

On 1/16/07, Andrew van der Stock < vanderaj at owasp.org> wrote:

Jeff should have a new draft this morning.  

 

He was unhappy that the headings as we discussed in November didn't come
through, just as I was unhappy with November's headings not relating
directly to MITRE's raw data (with the exception of CSRF). With the new
draft, we'll need to de-emphasize the MITRE correlation as it no longer is
strictly true.  

 

Andrew

 

On 16/01/2007, at 5:47 AM, Dinis Cruz wrote:

 

Hi Andrew, I think that this is ready for public distribution. 

I propose the following plan.

1) 'RC1 release' email to owasp-leaders
2) 1 week later RC1 email to owasp-all, multiple security mailing lists and
PCI 
3) 1 month later, 1st revision of comments, release of RC2 and go through
another round of peer review 
4) 1 month later, 2nd revision of comments, release RC3 for final proof
(this might not be to owasp-all, probaly just to owasp-topten and
owasp-leaders mailing list) 
5) 2 weeks later, release final version (and do a big presentation about it
at the next OWASP conference) 

Dinis

On 1/15/07, Andrew van der Stock < <mailto:vanderaj at gmail.com>
vanderaj at gmail.com> wrote:

Hi guys, 

here's the release candidate draft I've worked on through the weekend. 
It takes into account all of our conversations through November.
However, it does make one change - input validation. This is really 
part of the raw data at #7, and I'd prefer not to have three access
control headings and no input validation. So we have two access 
control headings instead.

Please review, and if acceptable, forward to owasp-topten and 
owasp-leaders. Once we're happy it can be seen outside, it's time for
outside comment.

thanks,
Andrew 




-- 
Dinis Cruz
Chief OWASP Evangelist, Are you a member yet? 
http://www.owasp.org

 







-- 
Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
http://www.owasp.org 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070126/3048b9b0/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP Top 10 2007.doc
Type: application/msword
Size: 621056 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070126/3048b9b0/attachment-0002.doc>


More information about the Owasp-board mailing list