[Owasp-board] Fwd: Status of OWASP Top 10 - 2010 release candidate 1

Tom Brennan - OWASP tomb at owasp.org
Mon Oct 19 19:42:04 UTC 2009

Dave, I think we should .pdf this and add to the owasp top 10 wiki project page

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project and kick
a note to leaders list BEFORE putting things in print even on a shirt?

---------- Forwarded message ----------
From: Dave Wichers <dave.wichers at owasp.org>
Date: Sun, Oct 18, 2009 at 1:11 PM
Subject: RE: Status of OWASP Top 10 - 2010 release candidate 1
To: "Steven M. Christey" <coley at linus.mitre.org>, Juan Carlos Calderon
Rojas <juan.calderon at softtek.com>, Paul Petefish
<PaulPetefish at solutionary.com>, Jeremiah Grossman
<jeremiah at whitehatsec.com>, arian evans <arian.evans at whitehatsec.com>,
Tom Brennan <tomb at owasp.org>, Andrew van der Stock
<vanderaj at owasp.org>, mike.boberski at gmail.com
Cc: jeff.williams at owasp.org


Attached is the promised draft (a bit later than I hoped). Given this is in
Powerpoint, for formatting reasons, it's a bit difficult to include comments
directly (no change bars support!), so can you simply provide your comments
in an email, and include the page name, section area, and then the specific
comment for each comment you have?

Before diving into the specifics, can you let me know if you think the top
10 items are correct (in your opinion), and whether you have any concerns
about their ordering, or the risk factors for any of them?

Please, of course, keep this draft (and any public comments about it) under
your hat as it is going to debut at the OWASP DC conference and we want to
unveil it then.

The conference is thinking about printing hardcopies of it and providing one
to each attendee. For us to do so, we'd have to have this release candidate
completed at least one week prior. Therefore, I'd like to get all comments
back by next Sunday latest (10/25), so I can have 1 week to update it,
before this RELEASE CANDIDATE is locked in for the conference.

My plan is to publicly release it in Nov, gather comments until the end of
the year, update it, and release it as the OWASP Top 10 - 2010 sometime in
late Jan or Feb.


p.s. I already know the cover page has the word Application twice in a row
in the title. When I get an updated cover from Larry. I'll fix that.

-----Original Message-----
From: Dave Wichers [mailto:dave.wichers at owasp.org]
Sent: Tuesday, October 13, 2009 4:47 PM
To: 'Steven M. Christey'; 'Juan Carlos Calderon Rojas'; 'Paul Petefish';
'Jeremiah Grossman'; 'arian evans'; 'Tom Brennan'; 'Andrew van der Stock';
'mike.boberski at gmail.com'
Cc: 'jeff.williams at owasp.org'
Subject: Status of OWASP Top 10 - 2010 release candidate 1

I just wanted to let you all know that Jeff and I are furiously working to
complete the 1st draft of the entire Top 10 from cover to cover (about 20
pages). It is essentially complete now, but we are reviewing it in detail
now. Once that review is complete and it has been updated, I plan to send it
out to all of you for the first round of external (but a small group)

I hope to send it out by Thursday this week.

Please keep any drafts of this update to yourselves until it is officially
released at the DC conference on Nov. 12 or 13.

3 other small teams are pulling together new OWASP Prevention Cheat Sheets
that will be referenced by the Top 10. I don't know if all of you are
familiar with the two Jeff and I put together:


but they are pretty concise but relatively complete discussions of these
topics. Three new ones are underway:

CSRF Prevention Cheat Sheet
Insecure Direct Object Reference Prevention Cheat Sheet
http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet (which
is complete and undergoing review)

Thanks, Dave

Tom Brennan
Tel: 973.506.9303
AIM/Skype/GTalk/Yahoo = jinxpuppy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP T10 - 2010 RC1 Draft.pptx
Type: application/vnd.openxmlformats-officedocument.presentationml.presentation
Size: 561216 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20091019/3fdc8605/attachment.pptx>

More information about the Owasp-board mailing list