[Owasp-leaders] OWASP Top 10 Methodology

Dennis Groves dennis.groves at owasp.org
Sun Mar 3 06:40:23 UTC 2013

comments inline, like they should be…

On 3 Mar 2013, at 1:45, Jerry Hoff wrote:

> Hello all,
> This is great - we now have a baseline on how the top 10 methodology.
> I have a question about the raw data used in the Top 10 - is this 
> going to be made public as well?
> Ideally, we would have a published, vetted methodology and a 
> repository of raw data available to all.  Total transparency - in my 
> opinion this is much more empowering to organizations.  In the perfect 
> scenario, organizations could then see our methodology, tweak the 
> assumptions and potentially companies can come up with their own "top 
> 10".   To me, the most important thing is ensuring the methodology and 
> data are available and that they accurately reflect reality.
> In my opinion, these are the next steps:
> 	1. Make the data that fueled the Top 10 - 2013 publicly available
> 	2. Allow time for review
> 	3. An open "virtual summit" over webex to hash out glaring problems	
> 	4. Draft a revised methodology
> 	5. Virtual Summit again (repeat until there is a consensus)
> 	6. Opening publish the revised methodology
> 	7. Use this methodology and recommendations to augment the Top 10
> 	8. Publish Final Document
> These steps are based on conversations I had with Jeff Williams, 
> Michael Coates and Jim Manico.
> Does this plan seem reasonable?  Please voice your opinion OWASP 
> leaders.

I love the direction of the momentum. A special thank you to Jerry for 
picking this up in such a professional manner and driving it forward….

However, I see two issues - turing the OWASP top 10 into a community 
process and the governance of that process. At OWASP we tend to work by 
passion and loud voice; and sometimes by reason. I think for a project 
this important we need to work together in more formal and structured 
ways to ensure professionalism and fairness for all parties.

I suggest that we use IETF Review and approval process (It is mature, 
and produces good results), in fact we should treat the hole of the 
OWASP Top 10 as if it were an RFC, and edit the document according to 
the established RFC process. (Of course we are adopting only governance 
here - OWASP Top 10 would remain an OWASP Project.)

This allows for both companies and individuals to participate; it allows 
for transparency and fairness.
It instantiates a position known as a 'Document Editor' which can be 
Dave Witchers who takes the feedback of Individuals and Work Groups 
(companies) and ensures that not incompatible changes are made. 
Incompatible changes are brought to summit for discussion and to achieve 
'general consensus' around the discrepancies.

Perhaps Tobias can shepherd the project through its first few attempts 
until we all understand how to work together in the IETF way.

I invite the communities thoughts, comments and criticism on this 



[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130303/0892c1e3/attachment.html>

More information about the OWASP-Leaders mailing list