[Owasp-leaders] OWASP Top 10 Methodology

Ryan Barnett ryan.barnett at owasp.org
Wed Mar 13 14:59:42 UTC 2013


FYI - I have added links to sample attack reports to this page -
https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements

-Ryan

On Tue, Mar 5, 2013 at 9:33 AM, Dave Wichers <dave.wichers at owasp.org> wrote:

> Thanks Ryan for taking the lead on this step of the methodology. I’m very
> interested in seeing what the various attack metric sources we can get our
> hands on say about the prevalence of different kinds of attacks.****
>
> ** **
>
> One comment about the prevalence factor in the Top 10 is that its
> definition is:****
>
> ** **
>
> The likelihood that an attacker would successfully attack the application
> given this vulnerability.  I could imagine some attack metrics only measure
> attempts to attack (like random DOSing, or random attempts at SQL
> injection/XSS) but don’t or can’t measure the number of actually successful
> attacks.****
>
> ** **
>
> And I think the likelihood of success is pretty important. Take Reflected
> XSS for example. It’s pretty prevalent, it’s pretty easy to find, but it
> can be hard to successfully pull off.****
>
> ** **
>
> Don’t get me wrong, I think knowing what attack attempts are actually
> occurring out there in the wild is great information to know. But I’m not
> sure if that data is an exact match to what we consider the likelihood of
> actual successful attack in the Top 10 as its defined today.****
>
> ** **
>
> -Dave****
>
> ** **
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Ryan Barnett
> *Sent:* Tuesday, March 05, 2013 9:25 AM
> *To:* Michael Coates; OWASP Leaders; OWASP TopTen
>
> *Subject:* Re: [Owasp-leaders] OWASP Top 10 Methodology****
>
> ** **
>
> With regards to "Additional data sources to be considered" Enhancement
> item – I am contacting various vendors that I listed to try and get access
> to web attack metrics.  I have heard back from both Akamai and Incapsula
> and they are willing to share so I will work with them.****
>
> ** **
>
> I will update the group when I have more info.****
>
> ** **
>
> -Ryan****
>
> ** **
>
> *From: *Michael Coates <michael.coates at owasp.org>
> *Date: *Saturday, March 2, 2013 7:15 PM
> *To: *OWASP Leaders <owasp-leaders at lists.owasp.org>, OWASP TopTen <
> owasp-topten at lists.owasp.org>
> *Subject: *Re: [Owasp-leaders] OWASP Top 10 Methodology****
>
> ** **
>
> Leaders,****
>
> The OWASP Top 10 Methodology wiki page (as described in the below email)
> is now live - https://owasp.org/index.php/Top_10_2013/ProjectMethodology**
> **
>
> As you'll see in the first line of the wiki - "The goal of this page is to
> provide the baseline of knowledge to begin a thoughtful conversation of
> enhancements and changes to continue growing the OWASP top 10."****
>
> Next Steps:****
>
> - Have ideas on how we can enhance the methodology? Please add it here
> https://owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements
> ****
>
> - We'll then begin making changes based on these ideas****
>
> Overall Goal:****
>
> Increase participation, enhance methodology, and continue to grow the
> excellent OWASP top 10 resource
>
> ****
>
> Thanks for everyone's hard work so far on the Top 10 and all the good
> ideas that have been floating around. I'm confident we can all work
> together as a community to make this next top 10 awesome.  I look forward
> to continuing this conversation with everyone.
>
> ****
>
>
> ****
>
>
> --
> Michael Coates | OWASP | @_mwc
> michael-coates.blogspot.com****
>
> ** **
>
> On Tue, Feb 26, 2013 at 12:05 PM, Michael Coates <michael.coates at owasp.org>
> wrote:****
>
> Leaders & Top 10 Enthusiasts,****
>
> Dave and I had a great conversation today about the Top 10 and some of the
> questions that have been posed by many in our owasp community.
>
> We're going to build a wiki page that describes the overall project
> methodology of the owasp top 10, what's currently happening, suggestions
> for improvements, and an FAQ.****
>
> The project has continually grown over the various releases and has
> successfully attracted more worldwide attention. As we've grown as an
> organization we've seen many new ways to further open the top 10 and invite
> greater participation.
>
> This methodology wiki page will help clarify the activities to date and
> provide a feedback channel to continue growing.****
>
> Please look for this page later this week. It would have been great for me
> to include the completed page with this email, but it will take a day or
> two and I wanted to send this info to the list now.
>
>
>
> Thanks!****
>
>
> ****
>
>
> --
> Michael Coates | OWASP | @_mwc
> michael-coates.blogspot.com****
>
> ** **
>
> _______________________________________________ OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders ****
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130313/8276a297/attachment.html>


More information about the OWASP-Leaders mailing list