[Owasp-board] OWASP Top 10 Review

Dave Wichers dave.wichers at owasp.org
Wed Nov 11 15:22:20 UTC 2009

The top 10 presentation I have prepared for the conference is deliberately
intended to be reusable by others.


As such, it contains far more content than I can present at the conference,
so I'm going to skim past some of it, but it contains a full set of content
to present to a new audience about what the top 10 contains as well as what
it is about.


I have at least 3 slides on each top 10 item, The first is the description
of the problem and the risks it introduces, and then 2nd is an example, and
the 3rd is focused on how to address or avoid this problem. And with the 3rd
slide I try to advertise the presence of the key mature OWASP resources that
are available to help in that area.


So, with the top 10, I'm trying to use its visibility to advertise much more
of the great work that is being done at OWASP, like the Guides, ESAPI, ASVS,




From: John Wilander [mailto:john.wilander at owasp.org] 
Sent: Tuesday, November 10, 2009 11:59 PM
To: jeff.williams at owasp.org
Cc: Tom Brennan - OWASP; Dave Wichers; OWASP Foundation Board List
Subject: Re: [Owasp-board] OWASP Top 10 Review



2009/11/10 Jeff Williams <jeff.williams at owasp.org>

Is that different than this. (from the draft)??   I guess you're suggesting
ratification by the membership/chapters/etc.  I'm not sure how we would come
to consensus.


I don't think it differs in any significant respect. The idea is to promote
November/December chapter meetings dedicated to discuss the new top ten
list. Such discussions would not only generate a good deal of comments but
also a real community feel and support for the new list. If every chapter
member world-wide has been invited to discuss the list before it's finalized
we can really consider this a community product.


We could (should) support the chapters by putting together a OWASP Top Ten
2010 draft presentation. It could be the one Dave is presenting on Friday.


After all, OWASP is mostly known for the top ten list so I think this is the
right issue to engage the community around.







Request for Comments 

OWASP plans to release the final public release of the OWASP Top 10 - 2010
during the first quarter of 2010 after a final, one-month public comment
period ending December 31, 2009. 


This release of the OWASP Top 10 marks this project's eighth year of raising
awareness of the importance of application security risks. This release has
been significantly revised to clarify the focus on risk. To do this, we've
detailed the threats, attacks, weaknesses, security controls, technical
impacts, and business impacts associated with each risk. By adopting this
approach, we hope to provide a model for how organizations can think beyond
the ten risks here and figure out the most important risks that their
applications create for their business. 


Following the final publication of the OWASP Top 10 - 2010, the
collaborative work of the OWASP community will continue with updates to
supporting documents including the OWASP wiki, OWASP Developer's Guide,
OWASP Testing Guide, OWASP Code Review Guide, and the OWASP Prevention Cheat
Sheet Series.


Constructive comments on this OWASP Top 10 - 2010 Release Candidate should
be forwarded via email to OWASP-TopTen at lists.owasp.org. Private comments may
be sent to dave.wichers at owasp.org.  Anonymous comments are welcome.  All
non-private comments will be catalogued and published at the same time as
the final public release.  Comments recommending changes to the items listed
in the Top 10 should include a complete suggested list of 10 items, along
with a rationale for any changes. All comments should indicate the specific
relevant page and section. 


Your feedback is critical to the continued success of the OWASP Top 10
Project. Thank you all for your dedication to improving the security of the
world's software for everyone.





Jeff Williams, Chair

The OWASP Foundation

Work: 410-707-1487

Main: 301-604-4882


From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Tom Brennan -
Sent: Tuesday, November 10, 2009 11:17 PM
To: Dave Wichers
Cc: john.wilander at owasp.org; OWASP Foundation Board List
Subject: [Owasp-board] OWASP Top 10 Review


What if... request for comment for the OWASP Top 10 (draft) was put out to
the membership at the Summit + at the conference at Dave's talk (of course)
to the community with a 30 day ratification to come from Chapters around the
world for RC1 then ratified with Jan 1 2010 official release.  This would be
a effort from the community (chapters and members) for the community and
each chapter can submit comment by X date.... just thinking (John Wilander's

Can you see the press covering this, industry folks and magazines that would
be FORCED to cover the Draft + RC1 + Release

Just thinking as we close out the bar ;)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20091111/29d6ea4d/attachment-0002.html>

More information about the Owasp-board mailing list