[Owasp-leaders] OWASP Top 10 Methodology

Paweł Krawczyk pawel.krawczyk at hush.com
Tue Mar 5 19:40:26 UTC 2013


On 5/3/2013 at 7:16 PM, "Dennis Groves"  wrote:
But we have never been able to predict if any **specific individual** 
will purchase the banana.

I'm not sure if these analogies will take us anywhere useful. I think
at the maturity level of our industry it's already extremely useful to
know that apps having feature Y are more frequently hacked than Z.
Which then allows you to make specific decisions about training budget
for the next year, or security testing priorities. Or, more precisely,
convince those who hold money that that they should be spent and what
they should be spent for - for example, that it makes sense to spend
$20k for pentesting of an application that is threatened with $10m
fine from FSA in case of compromise, rather than a internal desk
booking application. Most people can build those arguments
intuitively, but I can see it's time to move to another level - and
start quantifying things.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/a6a5dc35/attachment.html>


More information about the OWASP-Leaders mailing list