[Owasp-leaders] OWASP Top 10 Methodology

Dave Wichers dave.wichers at owasp.org
Sun Mar 3 21:07:22 UTC 2013

Well. The 3 year cycle has worked well in the past (in my opinion) for several reasons:


1)      The field does evolve pretty quick but I don’t think the Top 10 Risks substantially change every single year. So I think every year is a bit too much.

2)      It takes A LOT of work to produce an update to the Top 10, and so spacing it out balances between the effort to produce and the amount of change you’d see when its updated.

3)      Lots of organizations, tools, etc. organize to the Top 10, so if it was published every single year, then everyone that chooses to align themselves to each update would have to do that work every year.

a.       And if it didn’t change much, I think there would be a lot of update/announcement fatigue.

b.      And if changed A LOT each year, then I think the community would think we were crazy.


So, that’s why we’ve stuck with a 3 year cycle since 2004.  Sound like a good FAQ item.




From: Abbas Naderi [mailto:abbas.naderi at owasp.org] 
Sent: Sunday, March 03, 2013 3:47 PM
To: Dave Wichers
Cc: 'Jerry Hoff'; 'Michael Coates'; 'OWASP Leaders'; 'OWASP TopTen'
Subject: Re: [Owasp-leaders] OWASP Top 10 Methodology



I'm also concerned with time here. I think we can have something more similar to previous Top Tens and create another better one next year, does it have to be every three years?


On ۱۴ اسفند ۱۳۹۱, at ۰:۱۳, "Dave Wichers" <dave.wichers at owasp.org> wrote:

I have asked each data provider whether they are willing to publish their data. Some already have, in possibly a different form. I have already included links to their public stats on the Top 10 methodology page. Others have not done so yet, or are working on it, like Aspect for example. We plan to make our data public too.


While I am all for a more formalized / transparent methodology, the one concern I have is how long this all will take. Steps 1-6 below look like they will take several months to complete, based on past experience. And I strongly suspect steps 7-8, will also take several months. I’m OK with all this as long as we all realize that these improvements will also significantly delay finalizing the Top 10 for 2013. I suspect it won’t be done till mid/late summer at this rate, but I could be pleasantly surprised.


If people have energy to invest right now, I’d love it if they did some analysis of the actual exploit stats referenced in this list to see how those stats compare to the exploitability ratings currently in the draft Top 10 for 2013. 




From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jerry Hoff
Sent: Saturday, March 02, 2013 8:45 PM
To: Michael Coates
Cc: OWASP Leaders; OWASP TopTen
Subject: Re: [Owasp-leaders] OWASP Top 10 Methodology


Hello all,


This is great - we now have a baseline on how the top 10 methodology.


I have a question about the raw data used in the Top 10 - is this going to be made public as well? 


Ideally, we would have a published, vetted methodology and a repository of raw data available to all.  Total transparency - in my opinion this is much more empowering to organizations.  In the perfect scenario, organizations could then see our methodology, tweak the assumptions and potentially companies can come up with their own "top 10".   To me, the most important thing is ensuring the methodology and data are available and that they accurately reflect reality.


In my opinion, these are the next steps:

            1. Make the data that fueled the Top 10 - 2013 publicly available

            2. Allow time for review 

            3. An open "virtual summit" over webex to hash out glaring problems         

            4. Draft a revised methodology

            5. Virtual Summit again (repeat until there is a consensus)

            6. Opening publish the revised methodology

            7. Use this methodology and recommendations to augment the Top 10 

            8. Publish Final Document


These steps are based on conversations I had with Jeff Williams, Michael Coates and Jim Manico. 


Does this plan seem reasonable?  Please voice your opinion OWASP leaders.




Jerry Hoff

 <mailto:jerry at owasp.org> jerry at owasp.org


On Mar 2, 2013, at 4:15 PM, Michael Coates < <mailto:michael.coates at owasp.org> michael.coates at owasp.org> wrote:


The OWASP Top 10 Methodology wiki page (as described in the below email) is now live - <https://owasp.org/index.php/Top_10_2013/ProjectMethodology> https://owasp.org/index.php/Top_10_2013/ProjectMethodology

As you'll see in the first line of the wiki - "The goal of this page is to provide the baseline of knowledge to begin a thoughtful conversation of enhancements and changes to continue growing the OWASP top 10."

Next Steps:

- Have ideas on how we can enhance the methodology? Please add it here <https://owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements> https://owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements

- We'll then begin making changes based on these ideas

Overall Goal:

Increase participation, enhance methodology, and continue to grow the excellent OWASP top 10 resource 

Thanks for everyone's hard work so far on the Top 10 and all the good ideas that have been floating around. I'm confident we can all work together as a community to make this next top 10 awesome.  I look forward to continuing this conversation with everyone.

Michael Coates | OWASP | @_mwc
 <http://michael-coates.blogspot.com/> michael-coates.blogspot.com


On Tue, Feb 26, 2013 at 12:05 PM, Michael Coates < <mailto:michael.coates at owasp.org> michael.coates at owasp.org> wrote:

Leaders & Top 10 Enthusiasts,

Dave and I had a great conversation today about the Top 10 and some of the questions that have been posed by many in our owasp community.

We're going to build a wiki page that describes the overall project methodology of the owasp top 10, what's currently happening, suggestions for improvements, and an FAQ.

The project has continually grown over the various releases and has successfully attracted more worldwide attention. As we've grown as an organization we've seen many new ways to further open the top 10 and invite greater participation.

This methodology wiki page will help clarify the activities to date and provide a feedback channel to continue growing.

Please look for this page later this week. It would have been great for me to include the completed page with this email, but it will take a day or two and I wanted to send this info to the list now.


Michael Coates | OWASP | @_mwc
 <http://michael-coates.blogspot.com/> michael-coates.blogspot.com


OWASP-Leaders mailing list
 <mailto:OWASP-Leaders at lists.owasp.org> OWASP-Leaders at lists.owasp.org
 <https://lists.owasp.org/mailman/listinfo/owasp-leaders> https://lists.owasp.org/mailman/listinfo/owasp-leaders


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130303/9f0a416e/attachment-0001.html>

More information about the OWASP-Leaders mailing list