[Owasp-leaders] OWASP Top 10 - Proposal for a Temporary Injunction

David Montero david.montero at owasp.org
Wed Feb 27 23:11:47 UTC 2013


I think so Jerry, in clients when you say owasp, everybody thinks in top10.

Enviado desde mi iPad

El 27/02/2013, a las 04:31, Jerry Hoff <jerry at owasp.org> escribió:

> Hi Andrew,
> 
> To be absolutely clear - there are no accusations here, and absolutely no one is being accused of malice.
> 
> It's more of an embarrassment of riches - the Top 10 is so overwhelmingly successful and popular that it really is "OWASP" to a large number of people outside the organization.  If you go to random developers on the street and say OWASP, they will immediately say "Top 10".
> 
> Jeff and Dave have carefully groomed and grown this project into a worldwide phenomenon, catalyzing planet level change.
> 
> Obviously, with great power come great responsibility.  Organizational appsec programs are frequently based exclusively around the top 10 - I see it daily.   With this following, I believe openness on the methodology and data around the Top 10 are key.  
> 
> This is very similar to the growth cycle of many technical endeavors - imagine I start an open source framework or library.  Initially I just put something out that works.  Others start using it.  I keep adding features, and even more people start using it.  At a certain threshold, with so many people using my framework, I become responsible not only for updating my framework, but to ensure it is secure as well.  JQuery, RoR, etc… security (it could be argued) took a back seat to functionality until a certain threshold of users was crossed.
> 
> The T10 is the same way - when the first version came out, it didn't matter at all about the methodology or data.  As the project became more and more successful, and is now the basis of innumerable security programs around the globe - it acquired (willingly or unwillingly) the responsibility to become more formalized in methodology.
> 
> Is this fair?  It goes without saying Jeff and Dave have done amazing, world class work on this project. I believe however the data and methodology should be published, and the larger community should be part of the construction of the T10 moving forward.
> 
> I had the pleasure of meeting up with Jeff today at RSA and we discussed this for about an hour.  Jeff is also amenable to having a "T10 Summit" (most likely virtual).  I think Jeff and Dave allowing the community to voice their opinions on the contents of the Top 10 is a great step in line with the philosophy of OWASP.
> 
> Leaders, please voice your opinions on this matter.
> 
> Thank you,
> Jerry
> 
> 
> 
> --
> Jerry Hoff
> @jerryhoff
> jerry at owasp.org
> 
> 
> 
> On Feb 26, 2013, at 6:41 PM, vanderaj vanderaj <vanderaj at owasp.org> wrote:
> 
>> Jerry, Michael, I agree with you it should have not popped out as it did, but I wouldn't attribute malice to where someone just got 'er done. I did the same thing recently with the ASVS 2.0. I would definitely love for the Top 10 to be evidence based and have a consensus based methodology. 
>> 
>> (For historical purposes only and my memory is pretty shocking for the most part). For the Top 10 2007 edition, I formulated the methodology of using public statistics with Raoul Endres at a pho restaurant in Melbourne. We decided on evidence based Top 10, rather than what turned out I assumed to be pretty darned good guesses in the 2004 edition. To that end, I asked for and obtained Steve Christey's early data that is essentially the CVE stats of 2006 in electronic format. 
>> 
>> The main difference between the last draft I was sole author on and the final versions with everyone's input was the removal of some evidence based controls such as certain access controls, in favor of two crypto issues. I put in CSRF deliberately. I'm deliberately made sure the methodology and why CSRF was added as a choice ("Why we have added some important issues").
>> 
>> The document went through several private and then several public iterationsbefore setting on final drafts. I have about 10 drafts in my OWASP folder if anyone wants to see them (so far, no one has ever asked me for them). I have the raw data if anyone wants it (and no one asked for it AFAIK), assuming Steve is okay with me releasing it (you can now get that data in XML format directly from NIST). I probably should have asked Steve nicely if we could release it in some form other than a synthesis than keep it hidden. 
>> 
>> 
>> <image.png><image.png>
>> thanks,
>> Andrew
>> 
>> 
>> On Wed, Feb 27, 2013 at 9:13 AM, Dave Wichers <dave.wichers at owasp.org> wrote:
>>> Jerry.
>>> 
>>>  
>>> 
>>> Michael and I agree with you. We are working on it. Stay tuned. I’ve just been extremely busy at work and my personal life for the past 10 days so pretty quiet on the lists. But don’t take my silence as disagreement, but rather lack of time.
>>> 
>>>  
>>> 
>>> Jeff and I have been working on making the Top 10 more formalized and more open with each release, and we are happy to continue to make improvements in this area. Up through 2007 the project just published it and said here it is. In 2010 we opened it up to a formal open comment period for the first time. In 2013, we can do even more. Thanks for your suggestions.
>>> 
>>>  
>>> 
>>> -Dave
>>> 
>>>  
>>> 
>>> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jerry Hoff
>>> Sent: Tuesday, February 26, 2013 4:56 PM
>>> To: Michael Coates
>>> Cc: owasp-topten-project; OWASP Leaders
>>> 
>>> 
>>> Subject: Re: [Owasp-leaders] OWASP Top 10 - Proposal for a Temporary Injunction
>>> 
>>>  
>>> 
>>> Hello all,
>>> 
>>>  
>>> 
>>> Considering most appsec professionals live and die by the Top 10 - getting community support behind the methodology, data, trends and statistics that should go into the Top 10 is vital.
>>> 
>>>  
>>> 
>>> Exactly as Michael says below, the mailing list is devoid of information - for something as critical to OWASP as the top 10, this seems to contradict completely the open discussion in the community. 
>>> 
>>>  
>>> 
>>> I'm looking forward to the wiki which will hopefully shed some light on the process, but I still firmly believe that there needs to be a community wide discussion on:
>>> 
>>>  
>>> 
>>>             1. The methodology (once released, a discussion around "is this the proper methodology)
>>> 
>>>             2. Data and data sources
>>> 
>>>             3. Trends
>>> 
>>>             4. A more diverse panel to finalize a true OWASP Top 10 - 2013 which reflects as accurately as possible the true ranking of current web appsec risks 
>>> 
>>>  
>>> 
>>>  
>>> 
>>> Jeff, Dave - you guys more than anyone have contributed to the overall awareness of applications security.  It is in everyone's interest - including the OWASP community and the developer community - to ensure the Top 10 is as accurate as possible.  Isn't opening the Top 10 to a more diverse set of security professionals in the interests of us all?  
>>> 
>>>  
>>> 
>>> Folks - this is important.  This is not just any OWASP project, this is the top 10.  The decisions made here, about this issue, will impact the security of people worldwide.  We should take the time and put in the effort to make sure, as a community, that we get this right! 
>>> 
>>>  
>>> 
>>> Leaders this is very important.  Please chime in and make your voice heard on this issue.
>>> 
>>>  
>>> 
>>> Jerry
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>> --
>>> Jerry Hoff
>>> 
>>> @jerryhoff
>>> jerry at owasp.org
>>> 
>>> 
>>>  
>>> 
>>> On Feb 26, 2013, at 11:08 AM, Michael Coates <michael.coates at owasp.org> wrote:
>>> 
>>> 
>>> 
>>> 
>>> Ryan,
>>> 
>>> Thanks for that info. I think that helps provide some background, but Jerry's first two questions are still very relevant and the current info we publish doesn't seem to address them:
>>> 
>>> - What is the methodology used to decide on the "Top 10 risks"?
>>> 
>>> - Who exactly is involved in the selection and ordering of these risks?
>>> 
>>>  
>>> 
>>> One concern I have is that we (OWASP) don't know this information either. The place where the conversation should have happened - the top ten mailing list - does not have any information. http://lists.owasp.org/pipermail/owasp-topten/
>>> 
>>> To reiterate Jerry's questions, where was the top 10 discussed? How as it done? And who was there involved in the decision making (not just providing data)?
>>> 
>>> 
>>> Thanks,
>>> Michael
>>> 
>>>  
>>> 
>>> 
>>> 
>>> 
>>> --
>>> Michael Coates | OWASP | @_mwc
>>> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130228/3660ba1c/attachment-0001.html>


More information about the OWASP-Leaders mailing list