[Owasp-leaders] OWASP Top 10 Methodology

Neil Smithline neil.smithline at owasp.org
Tue Mar 5 20:30:18 UTC 2013

I'm all for "open" data and methodology. After all, that's what the "O" in
"OWASP" stands for.

That said, I think that any attempt at writing by consensus is doomed for
failure. My recollection is that the 2007 T10 was released much earlier in
the process than the 2010 and 2013. Despite their being only a dozen or so
people consistently partaking in the email discussions about the 2007 T10,
the process turned out to be very cumbersome. Only through Dave's willpower
did it make it out the door.

Despite my being totally surprised at the 2010 T10 arriving much later in
the process than the 2007 did, I thought the process was much better and a
produced a better document. Sure I felt excluded that I wasn't involved
earlier in the writing process. But from the 2007 T10 I knew the high price
of that early involvement and was happy to avoid paying it.

At this point, I think that we can help the T10 in two ways:
1) Proofreading, commenting, etc... the current 2013 T10.
2) Discuss process changes for the _2016_ T10. Perhaps the T10 would be
better if it had more than two initial authors? Perhaps earlier disclosure
of the T10 risks would make it better? Personally, I would have liked to
kill A9 early in the process when there was time to change it. I'm not sure
about these ideas but I think discussing changes for the next T10 makes

But trying to retroactively change the process used for the 2013 T10 will
achieve nothing but chaos and a late deliverable.

Please note that I am neither agreeing nor disagreeing with the 2013 T10
process. I am simply stating what I see as a reality based on my previous
experiences. We can't undo what has been done and, for better or worse,
should move forward as best we can and plan ahead for next time.

Neil Smithline

PS: I haven't had this much fun with an email thread in an age.

On Tue, Mar 5, 2013 at 3:04 PM, Dennis Groves <dennis.groves at owasp.org>wrote:

>  On 5 Mar 2013, at 19:40, Paweł Krawczyk wrote:
> On 5/3/2013 at 7:16 PM, "Dennis Groves" wrote:
> But we have never been able to predict if any *specific individual*
> will purchase the banana.
> I'm not sure if these analogies will take us anywhere useful. I think
> at the maturity level of our industry it's already extremely useful to
> know that apps having feature Y are more frequently hacked than Z.
> I agree, but this is correlation not causation.
> For example: Say that we find 50k SQLi in our data corpus, and that this
> number makes SQLi the number one issue in our data sets; as so we make it
> the #1 issue in the new OWASP Top 10.
> Lets further assume that I am using a SQL database in my application and
> that my application is vulnerable to SQLi. We know that having a SQLi
> correlates to getting hacked via SQLi but we actually do not know that any
> given attacker will use that particular attack vector in my case.
> It all depends. Maybe the attacker wants to steal from me, in that case
> perhaps the attacker would not do something so obvious because he fears it
> will be detected and cut him off from his income. Maybe the attacker wants
> to deface my website; and SQLi will not help him reach that goal.
> All I am saying is that this is not a metric. We can not *measure* the
> likelihood that I will be attacked via SQLi because we can not predict *if
> * let alone *how* I will be hacked.
> All we have is correlation, and we know that this correlation puts me at
> much greater risk.
> *I am in agreement with you, I think we have the data (and plenty of it)
> and the talent to do science, but I think right now we are doing more
> astrology than astronomy.*
> Dennis
> ------------------------------
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
> .
> *This email is licensed under a CC BY-ND 3.0<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>license.
> *
> *Please do not send me Microsoft Office/Apple iWork documents.*
> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
> Stand up for your freedom to install free software<http://www.fsf.org/campaigns/secure-boot/statement>
> .
>  The idea that some lives matter less is the root of all that’s wrong
> with the world. -- Paul Farmer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/5169c0e2/attachment.html>

More information about the OWASP-Leaders mailing list