[Owasp-leaders] OWASP Top 10 Methodology

Ryan Barnett ryan.barnett at owasp.org
Tue Mar 5 14:36:30 UTC 2013


I agree with your point and they is precisely why WHID data is so important
and should be weighted more as it only lists successful compromises rather
than only attempts.

-Ryan

From:  Dave Wichers <dave.wichers at owasp.org>
Date:  Tuesday, March 5, 2013 9:33 AM
To:  Ryan Barnett <ryan.barnett at owasp.org>, 'Michael Coates'
<michael.coates at owasp.org>, 'OWASP Leaders' <owasp-leaders at lists.owasp.org>,
'OWASP TopTen' <owasp-topten at lists.owasp.org>
Subject:  RE: [Owasp-leaders] OWASP Top 10 Methodology

> Thanks Ryan for taking the lead on this step of the methodology. I¹m very
> interested in seeing what the various attack metric sources we can get our
> hands on say about the prevalence of different kinds of attacks.
>  
> One comment about the prevalence factor in the Top 10 is that its definition
> is:
>  
> The likelihood that an attacker would successfully attack the application
> given this vulnerability.  I could imagine some attack metrics only measure
> attempts to attack (like random DOSing, or random attempts at SQL
> injection/XSS) but don¹t or can¹t measure the number of actually successful
> attacks.
>  
> And I think the likelihood of success is pretty important. Take Reflected XSS
> for example. It¹s pretty prevalent, it¹s pretty easy to find, but it can be
> hard to successfully pull off.
>  
> Don¹t get me wrong, I think knowing what attack attempts are actually
> occurring out there in the wild is great information to know. But I¹m not sure
> if that data is an exact match to what we consider the likelihood of actual
> successful attack in the Top 10 as its defined today.
>  
> -Dave
>  
> 
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Ryan Barnett
> Sent: Tuesday, March 05, 2013 9:25 AM
> To: Michael Coates; OWASP Leaders; OWASP TopTen
> Subject: Re: [Owasp-leaders] OWASP Top 10 Methodology
>  
> 
> With regards to "Additional data sources to be considered" Enhancement item ­
> I am contacting various vendors that I listed to try and get access to web
> attack metrics.  I have heard back from both Akamai and Incapsula and they are
> willing to share so I will work with them.
> 
>  
> 
> I will update the group when I have more info.
> 
>  
> 
> -Ryan
> 
>  
> 
> From: Michael Coates <michael.coates at owasp.org>
> Date: Saturday, March 2, 2013 7:15 PM
> To: OWASP Leaders <owasp-leaders at lists.owasp.org>, OWASP TopTen
> <owasp-topten at lists.owasp.org>
> Subject: Re: [Owasp-leaders] OWASP Top 10 Methodology
> 
>  
>> 
>> Leaders,
>> The OWASP Top 10 Methodology wiki page (as described in the below email) is
>> now live - https://owasp.org/index.php/Top_10_2013/ProjectMethodology
>> As you'll see in the first line of the wiki - "The goal of this page is to
>> provide the baseline of knowledge to begin a thoughtful conversation of
>> enhancements and changes to continue growing the OWASP top 10."
>> Next Steps:
>> - Have ideas on how we can enhance the methodology? Please add it here
>> https://owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancem
>> ents
>> - We'll then begin making changes based on these ideas
>> Overall Goal:
>> Increase participation, enhance methodology, and continue to grow the
>> excellent OWASP top 10 resource
>> 
>> Thanks for everyone's hard work so far on the Top 10 and all the good ideas
>> that have been floating around. I'm confident we can all work together as a
>> community to make this next top 10 awesome.  I look forward to continuing
>> this conversation with everyone.
>> 
>> 
>> 
>> --
>> Michael Coates | OWASP | @_mwc
>> michael-coates.blogspot.com <http://michael-coates.blogspot.com>
>>  
>> 
>> On Tue, Feb 26, 2013 at 12:05 PM, Michael Coates <michael.coates at owasp.org>
>> wrote:
>> 
>> Leaders & Top 10 Enthusiasts,
>> Dave and I had a great conversation today about the Top 10 and some of the
>> questions that have been posed by many in our owasp community.
>> 
>> We're going to build a wiki page that describes the overall project
>> methodology of the owasp top 10, what's currently happening, suggestions for
>> improvements, and an FAQ.
>> 
>> The project has continually grown over the various releases and has
>> successfully attracted more worldwide attention. As we've grown as an
>> organization we've seen many new ways to further open the top 10 and invite
>> greater participation.
>> 
>> This methodology wiki page will help clarify the activities to date and
>> provide a feedback channel to continue growing.
>> 
>> Please look for this page later this week. It would have been great for me to
>> include the completed page with this email, but it will take a day or two and
>> I wanted to send this info to the list now.
>> 
>> 
>> 
>> Thanks!
>> 
>> 
>> 
>> --
>> Michael Coates | OWASP | @_mwc
>> michael-coates.blogspot.com <http://michael-coates.blogspot.com>
>>  
>> _______________________________________________ OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/60e57540/attachment.html>


More information about the OWASP-Leaders mailing list