[Owasp-leaders] OWASP Top 10 Methodology

gregory.disney gregory.disney at owasp.org
Wed Mar 13 19:03:26 UTC 2013


OWASP Risk and Threat analysis model


On Wed, Mar 13, 2013 at 10:59 AM, Ryan Barnett <ryan.barnett at owasp.org>wrote:

> FYI - I have added links to sample attack reports to this page -
>
> https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements
>
> -Ryan
>
> On Tue, Mar 5, 2013 at 9:33 AM, Dave Wichers <dave.wichers at owasp.org>wrote:
>
>> Thanks Ryan for taking the lead on this step of the methodology. I’m very
>> interested in seeing what the various attack metric sources we can get our
>> hands on say about the prevalence of different kinds of attacks.****
>>
>> ** **
>>
>> One comment about the prevalence factor in the Top 10 is that its
>> definition is:****
>>
>> ** **
>>
>> The likelihood that an attacker would successfully attack the application
>> given this vulnerability.  I could imagine some attack metrics only measure
>> attempts to attack (like random DOSing, or random attempts at SQL
>> injection/XSS) but don’t or can’t measure the number of actually successful
>> attacks.****
>>
>> ** **
>>
>> And I think the likelihood of success is pretty important. Take Reflected
>> XSS for example. It’s pretty prevalent, it’s pretty easy to find, but it
>> can be hard to successfully pull off.****
>>
>> ** **
>>
>> Don’t get me wrong, I think knowing what attack attempts are actually
>> occurring out there in the wild is great information to know. But I’m not
>> sure if that data is an exact match to what we consider the likelihood of
>> actual successful attack in the Top 10 as its defined today.****
>>
>> ** **
>>
>> -Dave****
>>
>> ** **
>>
>> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
>> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Ryan Barnett
>> *Sent:* Tuesday, March 05, 2013 9:25 AM
>> *To:* Michael Coates; OWASP Leaders; OWASP TopTen
>>
>> *Subject:* Re: [Owasp-leaders] OWASP Top 10 Methodology****
>>
>> ** **
>>
>> With regards to "Additional data sources to be considered" Enhancement
>> item – I am contacting various vendors that I listed to try and get access
>> to web attack metrics.  I have heard back from both Akamai and Incapsula
>> and they are willing to share so I will work with them.****
>>
>> ** **
>>
>> I will update the group when I have more info.****
>>
>> ** **
>>
>> -Ryan****
>>
>> ** **
>>
>> *From: *Michael Coates <michael.coates at owasp.org>
>> *Date: *Saturday, March 2, 2013 7:15 PM
>> *To: *OWASP Leaders <owasp-leaders at lists.owasp.org>, OWASP TopTen <
>> owasp-topten at lists.owasp.org>
>> *Subject: *Re: [Owasp-leaders] OWASP Top 10 Methodology****
>>
>> ** **
>>
>> Leaders,****
>>
>> The OWASP Top 10 Methodology wiki page (as described in the below email)
>> is now live - https://owasp.org/index.php/Top_10_2013/ProjectMethodology*
>> ***
>>
>> As you'll see in the first line of the wiki - "The goal of this page is
>> to provide the baseline of knowledge to begin a thoughtful conversation of
>> enhancements and changes to continue growing the OWASP top 10."****
>>
>> Next Steps:****
>>
>> - Have ideas on how we can enhance the methodology? Please add it here
>> https://owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements
>> ****
>>
>> - We'll then begin making changes based on these ideas****
>>
>> Overall Goal:****
>>
>> Increase participation, enhance methodology, and continue to grow the
>> excellent OWASP top 10 resource
>>
>> ****
>>
>> Thanks for everyone's hard work so far on the Top 10 and all the good
>> ideas that have been floating around. I'm confident we can all work
>> together as a community to make this next top 10 awesome.  I look forward
>> to continuing this conversation with everyone.
>>
>> ****
>>
>>
>> ****
>>
>>
>> --
>> Michael Coates | OWASP | @_mwc
>> michael-coates.blogspot.com****
>>
>> ** **
>>
>> On Tue, Feb 26, 2013 at 12:05 PM, Michael Coates <
>> michael.coates at owasp.org> wrote:****
>>
>> Leaders & Top 10 Enthusiasts,****
>>
>> Dave and I had a great conversation today about the Top 10 and some of
>> the questions that have been posed by many in our owasp community.
>>
>> We're going to build a wiki page that describes the overall project
>> methodology of the owasp top 10, what's currently happening, suggestions
>> for improvements, and an FAQ.****
>>
>> The project has continually grown over the various releases and has
>> successfully attracted more worldwide attention. As we've grown as an
>> organization we've seen many new ways to further open the top 10 and invite
>> greater participation.
>>
>> This methodology wiki page will help clarify the activities to date and
>> provide a feedback channel to continue growing.****
>>
>> Please look for this page later this week. It would have been great for
>> me to include the completed page with this email, but it will take a day or
>> two and I wanted to send this info to the list now.
>>
>>
>>
>> Thanks!****
>>
>>
>> ****
>>
>>
>> --
>> Michael Coates | OWASP | @_mwc
>> michael-coates.blogspot.com****
>>
>> ** **
>>
>> _______________________________________________ OWASP-Leaders mailing
>> list OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders ****
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130313/cc75bdcf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP.png
Type: image/png
Size: 39768 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130313/cc75bdcf/attachment-0001.png>


More information about the OWASP-Leaders mailing list