[Owasp-leaders] CWE/SANS Top 25 Most Dangerous ProgrammingErrors

Ivan Ristic ivan.ristic at gmail.com
Wed Jan 14 16:17:12 EST 2009

For what it's worth, my contribution was telling them the XSS section
was completely wrong. (It's been significantly improved since,
influenced by one of my XSS defence posts.)

I tend to be apolitical, and will give my opinion to anyone who asks
(when I have a moment to spare, that is). About this particular
effort, I share Arian's concerns about the quality (which he expressed
in the other thread): the list shouldn't have been published in the
current form.

Having said that, however, I don't think we (OWASP) should be
defensive. The application security field is so small compared to
other areas that we need to focus on growth, rather than on

On Wed, Jan 14, 2009 at 7:08 PM, Marcin Wielgoszewski <marcin at owasp.org> wrote:
> Yah, I did notice a couple people who are OWASP members contributed (notably
> Jeff, Ivan, etc).
> I think combined with Gary McGraw's column posted yesterday ( ) and Arian
> Evan's most recent email to the web-security mailing list
> (http://www.webappsec.org/lists/websecurity/archive/2009-01/msg00041.html)
> sum up my thoughts about the SANS/CWE list.  It's one of the issues I've had
> with these lists, asking people not to limit themselves to just the Top 10
> -- there are over 700+ CWE, 100+ CAPEC, 24 WASC TC etc to also take into
> account.
> I just think SANS tried to "one-up" OWASP with a new Top X list.
> Instead, perhaps Top 10 2009 should be Andrew's Top 10 Things To Do Right.
> On Wed, Jan 14, 2009 at 7:58 AM, Marco M. Morana <marco.m.morana at gmail.com>
> wrote:
>> Marcin
>> If you look at the contributors of this important document
>> http://www.sans.org/top25errors/, we have both people that implicitly are
>> OWASP members (e.g Jeff Williams, James Walden and Ivan Ristic the ones I
>> recognize) as well as explicitly as organization: The working group at the
>> first OWASP ESAPI Summit.
>> I am not sure that the fact that OWASP T10 is not mentioned lessen the
>> credit or miss an opportunity to shine as organization critical to produce
>> this document for software security
>> Regards
>> Marco
>> OWASP Chapter Lead
>> Writing Secure Software Blogger
>> ----- Original Message -----
>> From: Marcin Wielgoszewski
>> To: Jeff Williams
>> Cc: owasp-leaders at lists.owasp.org
>> Sent: Tuesday, January 13, 2009 10:01 AM
>> Subject: Re: [Owasp-leaders] CWE/SANS Top 25 Most Dangerous
>> ProgrammingErrors
>> Jeff, the thing that really bites me about it all... is nowhere, in any of
>> the news postings I've read since the release, has OWASP been mentioned or
>> given credit for its own Top 10.
>> Does anyone else feel the same way?  Or am I again being overly-possessive
>> and my preference for open-source, open-body organizations like OWASP
>> shining through?
>> On Tue, Jan 13, 2009 at 7:24 AM, Jeff Williams
>> <jeff.williams at aspectsecurity.com> wrote:
>>> I helped them out with this but didn't intend for them to assume an
>>> organizational endorsement.  Even though it's basically the top ten + buffer
>>> overflows, it helps our mission.
>>> --Jeff
>>> On Jan 13, 2009, at 12:34 AM, "Marcin Wielgoszewski" <marcin at owasp.org>
>>> wrote:
>>> Today SANS in conjunction with MITRE have released the CWE/SANS Top 25
>>> Most Dangerous Programming Errors [1].
>>> It appears OWASP Foundation has made an official statement supporting
>>> this initiative:
>>> OWASP Foundation: "When facing a huge application portfolio that could
>>> contain many thousands of instances of over 700 different types of
>>> weaknesses, knowing where to start is a daunting task. Done right, stamping
>>> out the CWE Top 25 can not only make you significantly more secure but can
>>> cut your software development costs."
>>> - Jeff Williams, Aspect Security CEO and The OWASP Foundation Chair
>>> [1] http://www.sans.org/top25errors/
>>> Thoughts?  How does this affect the OWASP Top 10 Project?  I'll reserve
>>> comment for the time being.
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> ________________________________
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Ivan Ristic

More information about the OWASP-Leaders mailing list