[Owasp-leaders] T10 on the map, Re: Vote for Flagship...

johanna curiel curiel johanna.curiel at owasp.org
Sun Jul 27 22:41:05 UTC 2014


Hi Timur

I believe that top ten has overshadowed many other owasp projects that are
IMO more useful to me as a developer or pen tester. To be honest the
biggest threat I find is social engineering . One of the top ten should be
'Social engineering risk'.

One of the things I'm working right now is to promote projects that are
creating real value to the community, and we need to highlight them based
on their target group of interest. Example, the CISO guide is more useful
to a CISO than a developer, obviously. A pen tester is looking for other
type of information such as pentools (ZAP,OWTF, Cheat Sheets), Developers,
libraries to secure their code etc.

These project are getting lost in between a huge incubator list among other
ones that are at very early development  stage or high risk of being
inactive, and that is not fair. And off course, overshadowed by others so
yes, many goodies get lost in lists and for visitors of the OWASP site this
is totally unclear.

This has been the work of the Project Task force and you can follow our
developement here (
https://groups.google.com/a/owasp.org/forum/#!forum/projects-task-force).
We have configure 88 projects so far in openhub(
https://www.openhub.net/orgs/OWASP) so we can track their activity. This is
mostly for Code/Tool projects that have an open repository.

Another important step here is to create a new homepage/website based on
target groups. We have a design ready, and based on each groups interest,
projects will be displayed.I have attached the draft design we are working
on.

I would like to have a list of documentation projects that are doing
excellent work such as ASVS. Could you highlight which projects and why?
Also what are the weak points of top ten?(such as explained in the
Presentation and blog)
You can actually help us review the top ten at content level.

*I invite anyone that would like to volunteer, to do this  Please
visit https://www.openhub.net/orgs/OWASP
<https://www.openhub.net/orgs/OWASP>*
*search for an OWASP project and go to the link (at the bottom of the page
) "Review this project". If not found send me an email with you review.*

*[image: Inline image 1]*

We need volunteers to commit and execute. Owasp won't change by itself, we
do and execute that change and its a lot of work...So any volunteers
willing to help reviewing projects or highlighting them because of what
they have done/achieve please, contact the Project Task force :-)

We are working recently also on putting all projects on the openduck so
anyone can rate them. Soon the link would be available through their OWASP
wiki page project.



Regards


Regards

johanna




On Sunday, July 27, 2014, Timur 'x' Khrotko (owasp) <timur at owasp.org> wrote:

> Johanna, sorry for the delayed answer.
>
> Regarding why to refrain from promoting T10 in our public communication as
> the #1 project/product:
>
> Yes, it is about its maturity. Times change, now we have to associate
> OWASP with next gen goodies such as ASVS, Proactive Controls, etc. As per
> today tools like ASVS help the progress of AppSec much better, imo -- the
> tools that fit and guide the real-life user cases. T10 is prone to be
> misused in practice (eg. as the uniform QA provision).
>
> Disclaimer: I respect the vast historical importance of T10 and admire the
> work done with it.
>
> T10 is to withstand criticism, renew and find its place on the map. As an
> example of critique:
> http://blog.silentsignal.eu/2014/03/31/owasp-top-10-is-overrated/
> - by Balint Varga-Perke who first delivered the topic in a provocative
> speech at our chapter meeting last fall at Prezi:
> https://plus.google.com/112137101792593443873/posts/N8aX51zLwRe
>
> With Bálint we have an idea to create an OWASP project, which is to
> produce infographics about when which OWASP tool to use, and place T10 on
> this QA map with comments on how to use that.
> (In case there is no such map already.)
>
> So lets break the mainstream association OWASP=T10 for the sake of our
> progress.
>
> Regards:
>
> timur
>
>
> On Wed, Jul 16, 2014 at 10:02 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>
>> I think he means that the Top 10 is already a great and mature document /
>> project, which is quite above the others, and might distort the mappings
>> On 16 Jul 2014 01:55, "johanna curiel curiel" <johanna.curiel at owasp.org>
>> wrote:
>>
>>> >I share the belief that being associated with T10 at first place is not
>>> good for OWASP today and tomorrow.
>>>
>>> This is a very heavy statement. I would like to hear your opinion and if
>>> you could please elaborate and substantiated it will help us understand it.
>>>
>>>
>>> On Tue, Jul 15, 2014 at 6:13 PM, Timur 'x' Khrotko (owasp) <
>>> timur at owasp.org> wrote:
>>>
>>>> Hello all,
>>>>
>>>> my suggestion is to exclude T10 from all such lists in order to force
>>>> more attention be paid to other OWASP projects and documents.
>>>>
>>>> T10 is a thing in itself and needs no support.
>>>>
>>>> I share the belief that being associated with T10 at first place is not
>>>> good for OWASP today and tomorrow. An achievement would be to associate
>>>> OWASP brand with 10 its flagship projects, when any CISO, ethical hacker,
>>>> senior dev or tester will name you 5 of those 10 and a couple of other
>>>> useful OWASP projects.
>>>>
>>>> Regards:
>>>> Timur
>>>> Hi Josh
>>>>
>>>> Thanks for the reminder.
>>>>
>>>> I just included "None" :(Blank vote) option to the form.
>>>>
>>>>
>>>> regards
>>>>
>>>> Johanna
>>>>
>>>>
>>>> On Tue, Jul 15, 2014 at 11:22 AM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>>
>>>>> Johanna,
>>>>>
>>>>> When I went to vote for this a couple of weeks ago, my intent was to
>>>>> submit a vote for no projects out of a belief that all projects should
>>>>> remain without Flagship status until the requirements have been defined for
>>>>> Flagship documentation projects.  In order to submit the form, however, it
>>>>> required that I checked at least one option.  Has the form been updated to
>>>>> allow for no selection as a valid option?  If so, I will gladly cast my
>>>>> vote.  Thanks!
>>>>>
>>>>> ~josh
>>>>>
>>>>>
>>>>> On Tue, Jul 15, 2014 at 9:48 AM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> If you have trouble viewing or submitting this form, you can fill it
>>>>>> out online:
>>>>>>
>>>>>> https://docs.google.com/spreadsheet/viewform?fromEmail=true&formkey=dHBMYjdpZzVXaFJjTWgwVzdOdTJCbEE6MA
>>>>>>
>>>>>> Vote for Flagship - OWASP Document Projects
>>>>>>
>>>>>> The OWASP Flagship designation is given to projects that have
>>>>>> demonstrated strategic value to OWASP and application security as a whole.
>>>>>>
>>>>>>  Your Name *
>>>>>>
>>>>>>  Email *
>>>>>>
>>>>>>  Please check Documents candidate flagship projects you consider to
>>>>>> be flagship until a process exists to properly review these *
>>>>>>
>>>>>>    - OWASP Top Ten
>>>>>>    - Code Review
>>>>>>    - Developer Guidelines
>>>>>>    - Appsec Tutorials
>>>>>>    - Testing Guide
>>>>>>    - Software Assurance Maturity Model (SAMM)
>>>>>>    - OWASP Secure Coding Practices - Quick Reference Guide
>>>>>>    - OWASP Application Security Verification Standard Project
>>>>>>    - Virtual Patching Best Practices
>>>>>>    - OWASP Podcast Project
>>>>>>    - OWASP Legal Project
>>>>>>    - OWASP CTF Project
>>>>>>
>>>>>>
>>>>>>   Never submit passwords through Google Forms.
>>>>>>  Powered by Google Docs <http://docs.google.com> Report Abuse
>>>>>> <https://docs.google.com/spreadsheet/reportabuse?fromEmail=true&formkey=dHBMYjdpZzVXaFJjTWgwVzdOdTJCbEE6MA&source=https://docs.google.com/spreadsheet/viewform?fromEmail%3Dtrue%26formkey%3DdHBMYjdpZzVXaFJjTWgwVzdOdTJCbEE6MA>
>>>>>> - Terms of Service <http://www.google.com/accounts/TOS> - Additional
>>>>>> Terms <http://www.google.com/google-d-s/terms.html>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-community mailing list
>>>>>> Owasp-community at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>> Email us to enforce secure link with your mail servers (domain).
>>>> This message may contain confidential information - you should handle
>>>> it accordingly.
>>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-community mailing list
>>> Owasp-community at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>
>>>
>
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle it
> accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140727/d515fed2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 33263 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140727/d515fed2/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: landing_pages.pdf
Type: application/pdf
Size: 1307940 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140727/d515fed2/attachment-0001.pdf>


More information about the OWASP-Leaders mailing list