[Owasp-leaders] Fwd: (& how hard is to find download links on the OWASP website) Re: [Owasp-topten] (no subject)

dinis cruz dinis.cruz at owasp.org
Sun Sep 20 16:44:50 EDT 2009

I'm re-forwarding the email below from Nishi Kumar who works for Fidelity
and (I believe) is the one responsible for the great design we have on our
Live CD (Nishi was at the Summit Last year and is a great OWASP Success
story :) ).
What is good about this email, is the really good PPT (attached) that Nishi
created for internal distribution & presentation at her company (Nishi, this
is REALLY good stuff, I know you sent it to the leaders list (which is why I
am resending it), but can we share it in the current format? (with Fidelity

What is bad about this email, is the fact that Nishi had to email a number
of OWASP senior contacts to get the information she needed (Imagine what
happens for people who are not inside the 'inner-loop')


---------- Forwarded message ----------
From: Nishi Kumar <nishi787 at hotmail.com>
Date: 2009/9/20
Subject: RE: (& how hard is to find download links on the OWASP website) Re:
[Owasp-topten] (no subject)
To: dinis.cruz at owasp.org, owasp-leaders at lists.owasp.org

 Thanks Dinis for paying attention to this. When I started preparing
presentation for OWASP Top 10 I also wondered for a little while "*where is
the latest version of the OWASP Top 10?" *After I asked for some help from
the Top 10 group Dave emailed me some great presentation material. Michael
and Ralph also send me some good links. I have prepared my OWASP Top 10
presentation and planning to deliver by the end of this month to one group
and next month to another Electronic payments group. If you can provide any
feedback on this presentation I will highly appreciate.

Nishi Kumar
Systems Architect
Fidelity Nationals
512 632 3618
Date: Sun, 20 Sep 2009 14:32:29 +0100
Subject: (& how hard is to find download links on the OWASP website) Re:
[Owasp-topten] (no subject)
From: dinis.cruz at owasp.org
To: boberski_michael at bah.com; owasp-leaders at lists.owasp.org
CC: nishi787 at hotmail.com; andre at operations.net; owasp-topten at lists.owasp.org

Thanks for the links Michael (nice example of the usefulness  of those
'bureaucratic' pdf)
And just to try to show in a graphical way, why we need standards when
presenting our project's basic information, here is a workflow (hopefully as
accurate as I can replicate a normal user (i.e. not a experienced OWASP
leader)) who is trying to answer the question

*"So, where is the latest version of the OWASP Top 10?"   *(note: I started
this by trying to add the 'Owasp top 10' download link to this thread  (and
in fact this is real-world question asked recently by Tom B to Paulo

[in the words/mind of a normal user trying to find this link]

   1. probably the best way to start is on the OWASP home page:
   2. wooooaaahh, that is a lot of links and information, hummm, in the side
   there is this thing called 'OWASP Projects' let me click in there to
   3. wooooaaahh, that is also a lot of stuff!!!!
   4. I think I will google it (   ... the most sharp-eyed probably noticed
   that there is a link for the OWASP Top 10 on the owasp home page and that
   (if you scroll down) that is also a link inside the projects page in the
   'Release Quality Projects' tab ... )
   5. ahh, that's better
   6. That said, I'm a bit confused here, hit #1 points to *Category:OWASP
   Top Ten Project** - OWASP* and link #2 points to *Top 10 2007 - OWASP* ,
   which one is the one I want?
   7. That name is quite weird *'**Category:OWASP Top Ten Project -
OWASP' (what
   does 'category mean'? why is OWASP repeated twice in the name?) , but ...
   Google always know better, so I am going to use the first link:
   8. WTF!!!, where is the download link?
   9. Ok, I don't want to buy a book (download link anybody!!! 2009 here!!)
   10. It looks like there is a stable version and some older versions,
   should it be that 'stable' means the latest version? And If I click on that
   link, will that take me directly to the download?
   11. Before that, let me see if that damm download link is anywhere on
   this page
   12. Ok, there are a bunch of 'Top 10 users' (...I know that sherlock, why
   do you think I want to download the OWASP top 10?)
   13. I can give them feedback ... what no online form? I actually have to
   go into my email reader and send in an email to
topten at lists.owasp.org(CCed) , please don't tell me I have to be
subscribed to that list in order
   to send my feedback *(DINIS note: I'm CCing topten at lists.owasp.org on
   this email, but I am very sure that that list required moderation (which is
   actually a good thing for controlling SPAM, but not a good thing for
   providing feedback))*
   14. Then there are the project sponsors (some guys called 'Aspect
   Security'), are they the guys that I will have to contact to get this
   download link? Also I thought that Top 10 was a massive collaboration
   process, is Aspect the only author?
   15. Then it gets better :(
   16. there are 31 pages/links under Pages in the *category "OWASP Top Ten
   Project"* section, but they are missing *D* for DOWNLOAD
   17. Ahh wait, there is a PPT in there ... is the PPT about the OWASP 10
   top, or a presentation about the OWASP Top 10 ... NO ... is it
called *OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt
   *which sounds quite interesting but not what I am looking for
   18. OK, lets go back up and follow some of these links, that 'stable' one
   looks like a good bet. That said, why is the link called OWASP Top 10
   2007 <http://www.owasp.org/index.php/Top_10_2007> aren't we in 2009? is
   2007 the latest version, where does it say that 2007 is the latest version?
   is there a 2009 version on the works? (I can see a link to 'Old versions'
   what about a link to 'future versions'!!)
   19. Anyway, lets look at http://www.owasp.org/index.php/Top_10_2007 with
   a bit of luck that will either be the download link or it will contain the
   download link in a very easy & obvious location
   20. Hummm, My head is starting to hurt there,
   21. This is the first content that I can see on this page:
      - "... Welcome to the OWASP Top 10 2007! This totally re-written
      edition lists the most serious web application vulnerabilities,
      how to protect against them, and provides links to more information. *
      - *The OWASP Top 10 has been translated into French. Click
the French Translation!
    - *The OWASP Top 10 for Java Enterprise Edition is available for
      download **here<https://www.owasp.org/images/8/89/OWASP_Top_10_2007_for_JEE.pdf>..."
   22. Ok, call me stupid but!!
      - Where is the link to the ENGLISH version of the OWASP Top 10! (Do I
      need to grab the French version and translate it into English?
(Hey I'm up
      to trying anything by now))
    - This totally *'re-written ... most serious...' *list is from 2007
      right? (as btw, was it *written* in 2007 or *published* in 2007)?
    - Does this mean that the OWASP Top 10 is actually the OWASP Top 10 for
      Java Enterprise? , I though the Top 10 was for Web Applications.
   23. Getting desperate here ... hey .. inside the AIM Section there is a
   link called Where to Go From
click on it ( ... work with me here,
   *'Where to Go From here? ---> to the DOWNLOAD PAGE!!!* :) )
   24. humm, no luck in
   http://www.owasp.org/index.php/Top_10_2007-Where_to_Go_From_Here page ...
   again that sounds interesting, but not what I want, and no sigh to the
   download link
   25. back in http://www.owasp.org/index.php/Top_10_2007 the next link on
   the Aim section points to a 300 page OWASP Development
Guide<http://www.owasp.org/index.php/OWASP_Guide_Project>which (unless
it contains the OWASP Top 10 in the foreword, it is not what I
   26. Then we have the acknowledgments , followed by a Summary (which seems
   to link to parts of the OWASP Top 10, but I want the DOWNLOADable PDF or
   Word Document)
   27. HEY!!!! looks like we're getting there, the next section is called* '
   **A Note About The Different Versions'* and it starts by
saying*"...While the only official version of the OWASP Top Ten 2007
list is the
   downloadable English PDF version,..." *.. so Alleluia!!! there is a PDF
   of this document!!!! all I need is to find it
   28. Ok .. hold your breath ... there is a section called *Downloadable
   Versions* , if the english version is not here I will give up!
   29. NO!!!!!!!!!!!!!!!!!!!!!
   30. There is no english version!!!!!!! this is what that section has
      - You can download the Top 10 2007 (Final) here:
    - (PDF, 930 kb) <http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf>
         - (French Version PDF, 455
         - (Korean Version PDF, 768
         - (Turkish Version PDF, 718
         - (Brazilian Portuguese PDF, 329
         - (Spanish PDF,
         - OWASP Top 10 for Java Enterprise Edition (PDF, 630
         - Looking for a version in another language? We could use your help
         translating. Contact Andrew van der Stock (vanderaj ...(@)...
         owasp.org) to help translating the OWASP Top 10 into your language.
      31. There is an version in French, Korean, Turkish,
   Brazilian/Portuguese, Spanish and that Java Enterprise one that keeps coming
   back to haunt me
   32. I give up
   33. .... close browser ...
   34. ... grab a coffee...
   35. ...
   36. ... still need to get that Owasp Top 10 pdf ...
   37. ...
   38. ... open browser
   39. ...
   40. Ok, let's do this, come on, it can't be that hard!
   41. lets try this again
   42. opening www.owasp.org
   43. hey.. there is a link on the home page to the OWASP Top 10 ...
   humm.... was that there before? ... let's click on it
   44. ok now I'm again at
   http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project , let me
   try that Book thing at the top, since it is the first thing on the page, so
   it must be important
   45. clicking on the downloaded or
   46. OK ... I'm in another website http://www.lulu.com/content/1400974 (is
   this owned by OWASP?, can't see their logo anywere!)
   47. The cover looks good, but WHERE IS THE DOWNLOAD LINK??
   48. Humm ... has OWASP been HACKED? this looks like a scam, They (owasp
   website) said that I could download or purchase here, but all this website
   is trying to do is to get me to buy this book and give them my Credit Card
   details ... ahh, maybe the owasp link is wrong and it should say 'download
   AND purchase' , or more accurately 'purchase AND download'
   49. ... WHAT IS GOING ON, I though OWASP was an Open organization ...
   this is not a good sign ...
   50. but ... I have hope that I will still be able to get that damm
   download link ...
   51. lets go back to google and let me be more specific on my search:
   'owasp top 10 download'
   52. first link points to http://www.owasp.org/index.php/Top_10_2007
   53. ok... been here, this is the page that has the
   http://www.owasp.org/index.php/Top_10_2007#Downloadable_Versions section
   54. let's be real, ... it can't be that the English version is not here
   55. WAIT!!!! look at that first link? (PDF, 930
kb)<http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf>could it be
that this is the English version!!! AHHH maybe it is an
   * 'intelligence hacking test' *where if '*you are not good enough to find
   that link you deserve to be hacked!!!' *(and not worthy to belonging to
   the club of the *'People who have read the OWASP Top 10 in english'* )
   56. Now, I'm motivated ... lets click on that link!
   57. SUCCESS!!!!!
   58. Here is the
   59. ...
   60. ... now all I have to do is read it and understand what it says so
   that I can protect my app :)

(Back to Dinis)

HUFFF!!! that took a while, sorry guys I didn't meant for it to take that

Just to finish my chain of thought, please try to find the download link
here (and if please 'start a timer and calculate how many seconds it will
take you')

   - (linked from the OWASP home page) *OWASP Testing Guide:*

OK, did you made a note of how long it took you? Now do the same think for
these two projects

   - (linked from the OWASP home page) *OWASP Code Review Guide*:
   - (linked from the OWASP Projects page as a 'Release Quality
Project') *OWASP
   Ruby on Rails Security Guide V2*

Ok, not finished yet, now (always keeping score of how long it took you to
find that damm download link), do the same for these projects

   - (linked from the OWASP home page)
   - (linked from the OWASP home page)
   - (linked from the OWASP home page)
   - (linked from the OWASP home page)
   - (linked from the OWASP home page)
   - (linked from the OWASP home page)
   - (linked from the OWASP home page)
one click too many, but at least very obvious)
   - (linked from the OWASP home page)

If have not given up by now , you could continue here
http://www.owasp.org/index.php/Category:OWASP_Download (which is the link
that you get on google when searching for OWASP and click on the 'download'
link (under the #1 search results)

OK, and that was just for the download link. Try doing the same exercise

   - 1 line description about that project
   - 1 paragraph description about that project
   - who is the project leader? how do I contact him/her
   - where is the link to the mailing list (to subscribe or to read its
   - is this an active project? (or if it is inactive/ofphaned who do I talk
   - what license is this project released under? (*"...I know that OWASP is
   open source, but some licenses work for me and some don't..."*)
   - what is the project roadmap? *("...i.e. what is the current plans and
   what is going to happen next.."*)
   - is there a 1 page (maybe even in (shock horror) pdf format) about this
   project (*"... so that I can get a top level view of what it is? (and
   maybe send/give it to some colleagues of mine that are interested ..."*)

And those are the easy questions, what about:

   - Who uses this project?
   - Has this project been reviewed by anybody?
   - Has this tool been though a security review? How do I report
   vulnerabilities in this tool?
   - I want to use this project on my company, is there any documentation on
   how to deploy this on a xxx development environment?

Now ... remember that OWASP has 100+ projects and we need a scalable
solution to deal with the issues I raised above.

To solve this, the GPC has come up (after a public consultation with the
owasp-leaders) what we call the
is basically an attempt to give the OWASP project leaders a path into
solving the 'information/product management problem' we have at OWASP.

The good news is that we (finally) at the GPC have come up with a
technologically solution (based on our current WIKI technology) to enable
the easy edit, management and presentation of our projects.

To see this in action take a look at this page
content is entered via a simple
* {variable name = content}* format (see
and whose layout is mapped via a WIKI template:

This in itself, is already a massive leap forward (like you guys who have
tried to edit Paulo's tables in past will know very well :) ), BUT the
really goodie, is the fact that we can reuse this content :)

Check out these two pages, still not as clean as they will be in the future,
but a good preview of what we can do now:

   - http://www.owasp.org/index.php/OWASP_Project_Details_Table
   - http://www.owasp.org/index.php/OWASP_Project_Details_Table_2

Finally, last request, we (GPC) need help in converting the current projects
into the new template, so if you can help it would be great (this is just a
'we need your help' beta request, since Paulo is preparing an email about
this which will contain more details about: a) what has already been done,
b( how the system works and c) what still needs to be done)

Ok, got to go to the park with the family (nice Sunny day here in London

Dinis Cruz

 2009/9/18 Boberski, Michael [USA] <boberski_michael at bah.com>





Mike B.

*From:* owasp-topten-bounces at lists.owasp.org [mailto:
owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Nishi Kumar
*Sent:* Friday, September 18, 2009 10:22 AM
*To:* andre at operations.net; OWASP TopTen
*Subject:* [Owasp-topten] (no subject)

  Hi All,

I have to give a presentation to manager's and executives on OWASP Top 10
and in general how adopting OWASP can help organization develop secure
software. Do you know if there is any existing training material out there
geared towards management and executives that I can leverage. The goal is to
increase awareness of OWASP in my organization.

Nishi Kumar
Systems Architect
Fidelity Nationals

Insert movie times and more without leaving Hotmail®. See

Owasp-topten mailing list
Owasp-topten at lists.owasp.org

Lauren found her dream laptop. Find the PC that’s right for
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090920/6be3e312/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP_Top_10_High_level_Training.ppt
Type: application/vnd.ms-powerpoint
Size: 2941952 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090920/6be3e312/attachment-0001.ppt 

More information about the OWASP-Leaders mailing list