[Owasp-leaders] T10 on the map, Re: Vote for Flagship...

Timur 'x' Khrotko (owasp) timur at owasp.org
Sun Jul 27 19:37:33 UTC 2014


Johanna, sorry for the delayed answer.

Regarding why to refrain from promoting T10 in our public communication as
the #1 project/product:

Yes, it is about its maturity. Times change, now we have to associate OWASP
with next gen goodies such as ASVS, Proactive Controls, etc. As per today
tools like ASVS help the progress of AppSec much better, imo -- the tools
that fit and guide the real-life user cases. T10 is prone to be misused in
practice (eg. as the uniform QA provision).

Disclaimer: I respect the vast historical importance of T10 and admire the
work done with it.

T10 is to withstand criticism, renew and find its place on the map. As an
example of critique:
http://blog.silentsignal.eu/2014/03/31/owasp-top-10-is-overrated/
- by Balint Varga-Perke who first delivered the topic in a provocative
speech at our chapter meeting last fall at Prezi:
https://plus.google.com/112137101792593443873/posts/N8aX51zLwRe

With Bálint we have an idea to create an OWASP project, which is to produce
infographics about when which OWASP tool to use, and place T10 on this QA
map with comments on how to use that.
(In case there is no such map already.)

So lets break the mainstream association OWASP=T10 for the sake of our
progress.

Regards:

timur


On Wed, Jul 16, 2014 at 10:02 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> I think he means that the Top 10 is already a great and mature document /
> project, which is quite above the others, and might distort the mappings
> On 16 Jul 2014 01:55, "johanna curiel curiel" <johanna.curiel at owasp.org>
> wrote:
>
>> >I share the belief that being associated with T10 at first place is not
>> good for OWASP today and tomorrow.
>>
>> This is a very heavy statement. I would like to hear your opinion and if
>> you could please elaborate and substantiated it will help us understand it.
>>
>>
>> On Tue, Jul 15, 2014 at 6:13 PM, Timur 'x' Khrotko (owasp) <
>> timur at owasp.org> wrote:
>>
>>> Hello all,
>>>
>>> my suggestion is to exclude T10 from all such lists in order to force
>>> more attention be paid to other OWASP projects and documents.
>>>
>>> T10 is a thing in itself and needs no support.
>>>
>>> I share the belief that being associated with T10 at first place is not
>>> good for OWASP today and tomorrow. An achievement would be to associate
>>> OWASP brand with 10 its flagship projects, when any CISO, ethical hacker,
>>> senior dev or tester will name you 5 of those 10 and a couple of other
>>> useful OWASP projects.
>>>
>>> Regards:
>>> Timur
>>> Hi Josh
>>>
>>> Thanks for the reminder.
>>>
>>> I just included "None" :(Blank vote) option to the form.
>>>
>>>
>>> regards
>>>
>>> Johanna
>>>
>>>
>>> On Tue, Jul 15, 2014 at 11:22 AM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>
>>>> Johanna,
>>>>
>>>> When I went to vote for this a couple of weeks ago, my intent was to
>>>> submit a vote for no projects out of a belief that all projects should
>>>> remain without Flagship status until the requirements have been defined for
>>>> Flagship documentation projects.  In order to submit the form, however, it
>>>> required that I checked at least one option.  Has the form been updated to
>>>> allow for no selection as a valid option?  If so, I will gladly cast my
>>>> vote.  Thanks!
>>>>
>>>> ~josh
>>>>
>>>>
>>>> On Tue, Jul 15, 2014 at 9:48 AM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> If you have trouble viewing or submitting this form, you can fill it
>>>>> out online:
>>>>>
>>>>> https://docs.google.com/spreadsheet/viewform?fromEmail=true&formkey=dHBMYjdpZzVXaFJjTWgwVzdOdTJCbEE6MA
>>>>>
>>>>> Vote for Flagship - OWASP Document Projects
>>>>>
>>>>> The OWASP Flagship designation is given to projects that have
>>>>> demonstrated strategic value to OWASP and application security as a whole.
>>>>>
>>>>>  Your Name *
>>>>>
>>>>>  Email *
>>>>>
>>>>>  Please check Documents candidate flagship projects you consider to
>>>>> be flagship until a process exists to properly review these *
>>>>>
>>>>>    - OWASP Top Ten
>>>>>    - Code Review
>>>>>    - Developer Guidelines
>>>>>    - Appsec Tutorials
>>>>>    - Testing Guide
>>>>>    - Software Assurance Maturity Model (SAMM)
>>>>>    - OWASP Secure Coding Practices - Quick Reference Guide
>>>>>    - OWASP Application Security Verification Standard Project
>>>>>    - Virtual Patching Best Practices
>>>>>    - OWASP Podcast Project
>>>>>    - OWASP Legal Project
>>>>>    - OWASP CTF Project
>>>>>
>>>>>
>>>>>   Never submit passwords through Google Forms.
>>>>>  Powered by Google Docs <http://docs.google.com> Report Abuse
>>>>> <https://docs.google.com/spreadsheet/reportabuse?fromEmail=true&formkey=dHBMYjdpZzVXaFJjTWgwVzdOdTJCbEE6MA&source=https://docs.google.com/spreadsheet/viewform?fromEmail%3Dtrue%26formkey%3DdHBMYjdpZzVXaFJjTWgwVzdOdTJCbEE6MA>
>>>>> - Terms of Service <http://www.google.com/accounts/TOS> - Additional
>>>>> Terms <http://www.google.com/google-d-s/terms.html>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-community mailing list
>>>>> Owasp-community at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> Email us to enforce secure link with your mail servers (domain).
>>> This message may contain confidential information - you should handle it
>>> accordingly.
>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>>
>>
>>
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>
>>

-- 
Email us to enforce secure link with your mail servers (domain).
This message may contain confidential information - you should handle it 
accordingly.
Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140727/7cd1d29a/attachment.html>


More information about the OWASP-Leaders mailing list