[Owasp-leaders] OWASP Top 10 Methodology

Dave Wichers dave.wichers at owasp.org
Tue Mar 5 14:33:16 UTC 2013


Thanks Ryan for taking the lead on this step of the methodology. I'm very
interested in seeing what the various attack metric sources we can get our
hands on say about the prevalence of different kinds of attacks.

 

One comment about the prevalence factor in the Top 10 is that its definition
is:

 

The likelihood that an attacker would successfully attack the application
given this vulnerability.  I could imagine some attack metrics only measure
attempts to attack (like random DOSing, or random attempts at SQL
injection/XSS) but don't or can't measure the number of actually successful
attacks.

 

And I think the likelihood of success is pretty important. Take Reflected
XSS for example. It's pretty prevalent, it's pretty easy to find, but it can
be hard to successfully pull off.

 

Don't get me wrong, I think knowing what attack attempts are actually
occurring out there in the wild is great information to know. But I'm not
sure if that data is an exact match to what we consider the likelihood of
actual successful attack in the Top 10 as its defined today.

 

-Dave

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Ryan Barnett
Sent: Tuesday, March 05, 2013 9:25 AM
To: Michael Coates; OWASP Leaders; OWASP TopTen
Subject: Re: [Owasp-leaders] OWASP Top 10 Methodology

 

With regards to "Additional data sources to be considered" Enhancement item
- I am contacting various vendors that I listed to try and get access to web
attack metrics.  I have heard back from both Akamai and Incapsula and they
are willing to share so I will work with them.

 

I will update the group when I have more info.

 

-Ryan

 

From: Michael Coates <michael.coates at owasp.org>
Date: Saturday, March 2, 2013 7:15 PM
To: OWASP Leaders <owasp-leaders at lists.owasp.org>, OWASP TopTen
<owasp-topten at lists.owasp.org>
Subject: Re: [Owasp-leaders] OWASP Top 10 Methodology

 

Leaders,

The OWASP Top 10 Methodology wiki page (as described in the below email) is
now live - https://owasp.org/index.php/Top_10_2013/ProjectMethodology

As you'll see in the first line of the wiki - "The goal of this page is to
provide the baseline of knowledge to begin a thoughtful conversation of
enhancements and changes to continue growing the OWASP top 10."

Next Steps:

- Have ideas on how we can enhance the methodology? Please add it here
https://owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhance
ments

- We'll then begin making changes based on these ideas

Overall Goal:

Increase participation, enhance methodology, and continue to grow the
excellent OWASP top 10 resource 



Thanks for everyone's hard work so far on the Top 10 and all the good ideas
that have been floating around. I'm confident we can all work together as a
community to make this next top 10 awesome.  I look forward to continuing
this conversation with everyone.







--
Michael Coates | OWASP | @_mwc
michael-coates.blogspot.com

 

On Tue, Feb 26, 2013 at 12:05 PM, Michael Coates <michael.coates at owasp.org>
wrote:

Leaders & Top 10 Enthusiasts,

Dave and I had a great conversation today about the Top 10 and some of the
questions that have been posed by many in our owasp community.

We're going to build a wiki page that describes the overall project
methodology of the owasp top 10, what's currently happening, suggestions for
improvements, and an FAQ.

The project has continually grown over the various releases and has
successfully attracted more worldwide attention. As we've grown as an
organization we've seen many new ways to further open the top 10 and invite
greater participation.

This methodology wiki page will help clarify the activities to date and
provide a feedback channel to continue growing.

Please look for this page later this week. It would have been great for me
to include the completed page with this email, but it will take a day or two
and I wanted to send this info to the list now.



Thanks!





--
Michael Coates | OWASP | @_mwc
michael-coates.blogspot.com

 

_______________________________________________ OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/7ee56eba/attachment-0001.html>


More information about the OWASP-Leaders mailing list