[Owasp-board] Status of OWASP Top 10 - 2010 release candidate 1

Dave Wichers dave.wichers at owasp.org
Mon Oct 19 20:42:28 UTC 2009


I don't want to put it in front of that broad of an audience before the
conference. The conference release is simply a release candidate, not the
final, so everyone will have a chance to comment on it broadly, which is
something we failed to do previously. So this is already better than
previous T10 releases.

I also don't want to steal the presentation's thunder by releasing it
broadly prior to the conference as well.

And the t-shirt will say RC1, on it, in case it changes.

-Dave

-----Original Message-----
From: tomb at proactiverisk.com [mailto:tomb at proactiverisk.com] On Behalf Of
Tom Brennan - OWASP
Sent: Monday, October 19, 2009 3:42 PM
To: Dave Wichers
Cc: OWASP Foundation Board List
Subject: Fwd: Status of OWASP Top 10 - 2010 release candidate 1

Dave, I think we should .pdf this and add to the owasp top 10 wiki project
page

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project and kick a
note to leaders list BEFORE putting things in print even on a shirt?


---------- Forwarded message ----------
From: Dave Wichers <dave.wichers at owasp.org>
Date: Sun, Oct 18, 2009 at 1:11 PM
Subject: RE: Status of OWASP Top 10 - 2010 release candidate 1
To: "Steven M. Christey" <coley at linus.mitre.org>, Juan Carlos Calderon Rojas
<juan.calderon at softtek.com>, Paul Petefish <PaulPetefish at solutionary.com>,
Jeremiah Grossman <jeremiah at whitehatsec.com>, arian evans
<arian.evans at whitehatsec.com>, Tom Brennan <tomb at owasp.org>, Andrew van der
Stock <vanderaj at owasp.org>, mike.boberski at gmail.com
Cc: jeff.williams at owasp.org


All,

Attached is the promised draft (a bit later than I hoped). Given this is in
Powerpoint, for formatting reasons, it's a bit difficult to include comments
directly (no change bars support!), so can you simply provide your comments
in an email, and include the page name, section area, and then the specific
comment for each comment you have?

Before diving into the specifics, can you let me know if you think the top
10 items are correct (in your opinion), and whether you have any concerns
about their ordering, or the risk factors for any of them?

Please, of course, keep this draft (and any public comments about it) under
your hat as it is going to debut at the OWASP DC conference and we want to
unveil it then.

The conference is thinking about printing hardcopies of it and providing one
to each attendee. For us to do so, we'd have to have this release candidate
completed at least one week prior. Therefore, I'd like to get all comments
back by next Sunday latest (10/25), so I can have 1 week to update it,
before this RELEASE CANDIDATE is locked in for the conference.

My plan is to publicly release it in Nov, gather comments until the end of
the year, update it, and release it as the OWASP Top 10 - 2010 sometime in
late Jan or Feb.

-Dave

p.s. I already know the cover page has the word Application twice in a row
in the title. When I get an updated cover from Larry. I'll fix that.



-----Original Message-----
From: Dave Wichers [mailto:dave.wichers at owasp.org]
Sent: Tuesday, October 13, 2009 4:47 PM
To: 'Steven M. Christey'; 'Juan Carlos Calderon Rojas'; 'Paul Petefish';
'Jeremiah Grossman'; 'arian evans'; 'Tom Brennan'; 'Andrew van der Stock';
'mike.boberski at gmail.com'
Cc: 'jeff.williams at owasp.org'
Subject: Status of OWASP Top 10 - 2010 release candidate 1

I just wanted to let you all know that Jeff and I are furiously working to
complete the 1st draft of the entire Top 10 from cover to cover (about 20
pages). It is essentially complete now, but we are reviewing it in detail
now. Once that review is complete and it has been updated, I plan to send it
out to all of you for the first round of external (but a small group)
review.

I hope to send it out by Thursday this week.

Please keep any drafts of this update to yourselves until it is officially
released at the DC conference on Nov. 12 or 13.

3 other small teams are pulling together new OWASP Prevention Cheat Sheets
that will be referenced by the Top 10. I don't know if all of you are
familiar with the two Jeff and I put together:

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_S
heet
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

but they are pretty concise but relatively complete discussions of these
topics. Three new ones are underway:

CSRF Prevention Cheat Sheet
Insecure Direct Object Reference Prevention Cheat Sheet
http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet (which
is complete and undergoing review)

Thanks, Dave



--
Tom Brennan
http://www.linkedin.com/in/tombrennan
Tel: 973.506.9303
AIM/Skype/GTalk/Yahoo = jinxpuppy




More information about the Owasp-board mailing list