[Owasp-leaders] CWE/SANS Top 25 Most Dangerous ProgrammingErrors

Stephen Craig Evans stephencraig.evans at gmail.com
Sun Jan 18 07:21:03 EST 2009

Hi Marcin,

I just read about 15 articles reporting about the SANS 25 list in IT and
security e-publications. I share your frustration with the total absence of
mentioning the OWASP Top Ten.

My comments:

- Almost all mention Microsoft, Symantec, and DHS as the first 3
contributors, insinuating that they are the primary contributors. My take is
that it doesn't say "content contributors"; it could either be one of these
3 or a combo of all:
1. the 3 were financial contributors;
2. the 3 have good PR departments;
3. the author thought that their article would have the maximum effect if
these 3 entities were mentioned in the first paragraph.

- There's still a huge divide between IT security and software security. I
read comments from 3 so-called IT security experts, and it is obvious that
they know pretty much nothing about application security. In the same vein,
perusing the local OWASP chapters' mailing lists around the globe, I see
lots of presentations and topics of meetings that are IT Security and have
nothing to do with Web Application Security.

- If one has chosen software security as a profession, it's a sure bet for
years to come :-)

As for the value of the SANS 25 list, we will have to let the paint dry and
figure out how much it is worth. For example, for my clients the OWASP Top
10 2004 list is more relevant than the 2007 list.


On Thu, Jan 15, 2009 at 3:08 AM, Marcin Wielgoszewski <marcin at owasp.org>wrote:

> Yah, I did notice a couple people who are OWASP members contributed
> (notably Jeff, Ivan, etc).
> I think combined with Gary McGraw's column posted yesterday ( ) and Arian
> Evan's most recent email to the web-security mailing list (
> http://www.webappsec.org/lists/websecurity/archive/2009-01/msg00041.html)
> sum up my thoughts about the SANS/CWE list.  It's one of the issues I've had
> with these lists, asking people not to limit themselves to just the Top 10
> -- there are over 700+ CWE, 100+ CAPEC, 24 WASC TC etc to also take into
> account.
> I just think SANS tried to "one-up" OWASP with a new Top X list.
> Instead, perhaps Top 10 2009 should be Andrew's Top 10 Things To Do Right.
> On Wed, Jan 14, 2009 at 7:58 AM, Marco M. Morana <marco.m.morana at gmail.com
> > wrote:
>>  Marcin
>> If you look at the contributors of this important document
>> http://www.sans.org/top25errors/, we have both people that implicitly are
>> OWASP members (e.g Jeff Williams, James Walden and Ivan Ristic the ones I
>> recognize) as well as explicitly as organization: The working group at
>> the first OWASP ESAPI Summit.
>> I am not sure that the fact that OWASP T10 is not mentioned lessen the
>> credit or miss an opportunity to shine as organization critical to produce
>> this document for software security
>> Regards
>> Marco
>> OWASP Chapter Lead <http://www.owasp.org/index.php/Cincinnati>
>> Writing Secure Software Blogger <http://securesoftware.blogspot.com/>
>> ----- Original Message -----
>>  *From:* Marcin Wielgoszewski <marcin at owasp.org>
>> *To:* Jeff Williams <jeff.williams at aspectsecurity.com>
>> *Cc:* owasp-leaders at lists.owasp.org
>> *Sent:* Tuesday, January 13, 2009 10:01 AM
>>  *Subject:* Re: [Owasp-leaders] CWE/SANS Top 25 Most Dangerous
>> ProgrammingErrors
>> Jeff, the thing that really bites me about it all... is nowhere, in any of
>> the news postings I've read since the release, has OWASP been mentioned or
>> given credit for its own Top 10.
>> Does anyone else feel the same way?  Or am I again being overly-possessive
>> and my preference for open-source, open-body organizations like OWASP
>> shining through?
>> On Tue, Jan 13, 2009 at 7:24 AM, Jeff Williams <
>> jeff.williams at aspectsecurity.com> wrote:
>>>  I helped them out with this but didn't intend for them to assume an
>>> organizational endorsement.  Even though it's basically the top ten + buffer
>>> overflows, it helps our mission.
>>> --Jeff
>>> On Jan 13, 2009, at 12:34 AM, "Marcin Wielgoszewski" <marcin at owasp.org>
>>> wrote:
>>>  Today SANS in conjunction with MITRE have released the CWE/SANS Top 25
>>> Most Dangerous Programming Errors [1].
>>> It appears OWASP Foundation has made an official statement supporting
>>> this initiative:
>>>  OWASP Foundation: "When facing a huge application portfolio that could
>>> contain many thousands of instances of over 700 different types of
>>> weaknesses, knowing where to start is a daunting task. Done right, stamping
>>> out the CWE Top 25 can not only make you significantly more secure but can
>>> cut your software development costs."
>>> - Jeff Williams, Aspect Security CEO and The OWASP Foundation Chair
>>> [1] <http://www.sans.org/top25errors/>http://www.sans.org/top25errors/
>>> Thoughts?  How does this affect the OWASP Top 10 Project?  I'll reserve
>>> comment for the time being.
>>>  _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>  ------------------------------
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090118/e9718430/attachment.html 

More information about the OWASP-Leaders mailing list