[Owasp-board] [Owasp-leaders] Owasp top 10

Josh Sokol josh.sokol at owasp.org
Fri Apr 11 16:35:39 UTC 2014


Assuming we're seeing the same thing (
https://www.owasp.org/index.php/Top_10_2013-Introduction under
"Attribution"), then I'm not sure you can call this "the data".  That's
just a link to the the briefings from each of these companies on the latest
attacks and threat vectors.  It's statistics through the lens of
marketing.  I think that what Eoin was looking for was the spreadsheets
that were analyzed in order to generate these statistics and, probably more
important, how we consumed those spreadsheets and dissected the information
in order to compute the OWASP Top 10.  Using data from other companies is
fine, but we need to be transparent in how that data gets bubbled up in
order to create the Top 10.  Are there workpapers of some sort?  Pivot
tables?  Some sort of ranking system?  I think that's what Eoin was asking
for.

~josh


On Fri, Apr 11, 2014 at 10:19 AM, Neil Smithline
<neil.smithline at owasp.org>wrote:

> The data is available. See the links on the T10 page Dave pointed you to.
> Search for the word "statistics". All Dave was saying is that OWASP neither
> hosts nor distributes the data. We just point you to the location the
> originator of the data has used to publish the data.
>
> Neil
>
> On Fri, Apr 11, 2014 at 3:40 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>
>> Thanks dave,
>> So the data is not available, if i Understand you correctly? I'm sure it
>> could be anonymised? I doubt contributors send you data with client
>> information within? The top 10 is an popular project and understanding the
>> data and model behind  project is important for the community.
>>
>>
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 11 Apr 2014, at 02:29, "Dave Wichers" <dave.wichers at owasp.org> wrote:
>>
>> > Rather than the Top 10 project directly publishing the raw (and
>> frequently
>> > not very pretty or necessarily well organized) data that each provider
>> sent
>> > to the project privately, we asked each data provider to publish their
>> data
>> > publically and then we linked to what they published in the OWASP Top 10
>> > itself in the attribution box on the Introduction page. This approach
>> was
>> > taken to avoid the project publishing data that we didn't have explicit
>> > permission to redistribute (since we didn't ask for this permission
>> when we
>> > made the original data call), and it also gave the data providers the
>> > opportunity to make their results look more presentable if they wished
>> to do
>> > so before making their data public.
>> >
>> > The wiki page version of the Introduction page is here:
>> > https://www.owasp.org/index.php/Top_10_2013-Introduction which links
>> to all
>> > the published data. Every organization that provided data to the OWASP
>> Top
>> > 10 for 2013 published made their data public.
>> >
>> > -Dave
>> >
>> > -----Original Message-----
>> > From: owasp-leaders-bounces at lists.owasp.org
>> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin Keary
>> > Sent: Thursday, April 10, 2014 4:56 PM
>> > To: Samantha Groves; OWASP Foundation Board List; OWASP Leaders
>> > Subject: [Owasp-leaders] Owasp top 10
>> >
>> > Hi,
>> > Can you let me know where all the data and materials are for the owasp
>> top
>> > 10 2013?
>> > I'd like to see the metrics which resulted in the top 10 opened up to
>> the
>> > public.
>> > Doing this we can develop trend analysis, metrics and chart progress.
>> > Can this be done?
>> >
>> > Regards,
>> >
>> > Eoin Keary
>> > Owasp Global Board
>> > +353 87 977 2988
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140411/68ccb9bf/attachment.html>


More information about the Owasp-board mailing list