[Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

Dave Wichers dave.wichers at owasp.org
Tue Feb 19 17:06:44 UTC 2013

Regarding dealing with comments, I will do so, but I’m not going to start making changes immediately. We have a comment period through the end of March on purpose. I just got the draft out on Friday and then went on vacation for 4 days so I’m just getting back and starting to sift through the comments now.


And I have a heavy day job load this week so it will be a while before I process all of the comments already received and provide my thoughts in response.


The Top 10 I think is most useful as a single document, and then we also publish it on the wiki so it’s easier to search/use online. But we don’t use the wiki in the creation of the content.




From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Abbas Naderi
Sent: Tuesday, February 19, 2013 11:12 AM
To: Eoin Keary
Cc: Eoin Keary; OWASP Leaders
Subject: Re: [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available


Hi all folks,

I don't know if any of you are also members of the top-10 list, but since the RC release, at least a couple dozen people have sent valuable comments. Nobody in there is charge of managing and applying the comments and they just go unnoticed. At least 5 people have commented that A9 does not have the correct title and also that A4 and A7 are practically the same thing.


I'd appreciate it if someone allowed community to also work on this. 



Also everyone knows that Top 10 is one of the key projects at OWASP. I personally like the document, but I always hate it to see some company's logo there. All I'm thinking at that moment is why them? My company would be more than glad to sponsor and contribute to Top Ten or any other project, and have its logo added to the project, but hey that's not the spirit of OWASP.


I agree that they should be mentioned, but why not provide a link on the wiki to their website, and then have all the logos and texts about how Aspect made Top 10? I don't know if anyone is against this one.



So, please first introduce someone to me who is in charge of Top 10 right now so that I can help him/her manage comments and apply changes,

and second define how deep can the company's influence be there on any project. (i.e my company is creating WebGoatPHP from scratch with a lot of work, but we're not mentioned almost anywhere in it, we just mention on out website that we have done this.)


Thanks and sorry for long mail,


On ۱ اسفند ۱۳۹۱, at ۱۹:۱۰, Eoin Keary <eoin.keary at owasp.org> wrote:

Non profit != no money :)


On Tue, Feb 19, 2013 at 3:35 PM, Jim Manico <jim.manico at owasp.org> wrote:

I'm happy to have a smaller OWASP with less vendor involvement, fewer
but higher quality projects, and a smaller budget. We are in the (non
profit) business of spreading AppSec awareness, not making more money.

Jim Manico
(808) 652-3805 <tel:%28808%29%20652-3805> 

On Feb 20, 2013, at 12:27 AM, Eoin Keary <eoinkeary at gmail.com> wrote:

> I believe in what ur saying but our corporate sponsors won't.
> Why do we have corporate sponsor logos on the wiki at all, following this thought process?
> We need to balance revenue generation to do stuff with our open source ideals. Corporate sponsorship is important to the foundation for conferences, events, etc.
> We need industry inclusion /support or we die.
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988 <tel:%2B353%2087%20977%202988> 
> On 19 Feb 2013, at 15:12, Jim Manico <jim.manico at owasp.org> wrote:
>>> Look at webgoat lessons. - every lesson has the creators company logo. Should we remove these also?
>> Absolutely! This is not NASCAR, this is a not for profit charitable,
>> altruistic organization where serving the community at the expense of
>> personal gain in a vendor-neutral way is the norm.
>> And PS: Bruce Mayhew continues to support WebGoat in his free time and
>> he works for a different company now. WebGoat 5.4 actually removed
>> some of the sponsorship garbage and future versions will do so to an
>> even greater extent.
>> I'm lucky enough to have traveled the world and visited a large number
>> of chapters along the way. I also track several dozen active OWASP
>> projects. I also consulted a non-profit speciality lawyer before
>> joining the board. I'm not shooting from the hip here, I'm well
>> prepared, I did my homework, and I'm not picking this fight lightly.
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805 <tel:%28808%29%20652-3805> 
>> On Feb 19, 2013, at 11:46 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>> Look at webgoat lessons. - every lesson has the creators company logo. Should we remove these also?


Global Board Member

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130219/c6423817/attachment-0001.html>

More information about the OWASP-Leaders mailing list