[Owasp-leaders] OWASP Top Ten: Project Activity?
neil.smithline at owasp.org
Mon Jun 29 11:08:27 UTC 2015
I just noticed this thread. I can answer some of the questions.
- Should we use data from other sources?
IMO, the value of the T10 is that it summarizes the state of web app
security throughout the industry. As such, taking data from multiple
sources is an absolute requirement.
- Why no 2014 or 2015 T10?.
Up to now, the strategy has been to publish a Top-10 every 3 years. I think
this has made sense as the weakness landscape isn't as rapidly changing as
one would like. At least in my mind, that doesn't mean that producing them
sooner doesn't make sense, it just isn't what we've done. My suspicion is
that we can't produce a T10 in time for 2015. Gathering the data from other
sources takes time.
On Mon, Jun 29, 2015 at 6:29 PM Timo Goosen <timo.goosen at owasp.org> wrote:
> Dave Wichers is the project leader, I will CC him into this email.
> I think we should talk to the people on the leader list aswell.
> >>Should we include both Dast and SAST metrics? I think we should.
> I'm not sure what those stand for but the more the merrier so I think yes
> include it.
> On Sat, Jun 27, 2015 at 10:56 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>> Hi Timo,
>> Metrics for the top10 from us shall be cleaned and sorted :)
>> In a spreadsheet or XML or whatever you need. The same data is used For
>> our own vulnerability stats report.
>> Who is the project lead for the top 10?
>> Can we ask other folks to supply similar data also?
>> Should we have a call to the leaders list?
>> Should we include both Dast and SAST metrics? I think we should.
>> Metrics should be validated and verified as to remove all false positives
>> and not skew the stats.
>> Eoin Keary
>> OWASP Volunteer
>> On 27 Jun 2015, at 09:40, Timo Goosen <timo.goosen at owasp.org> wrote:
>> Thanks that would be great. WIll the data need to be processed?
>> I'm thinking we can turn this into one of the sessions at AppSec USA
>> Project Summit.
>> I'd be happy to lead it if I am at the summit.
>> On Fri, Jun 26, 2015 at 11:14 AM, Eoin Keary <eoin.keary at owasp.org>
>>> We have 1000s of sanitised vulnerability data via our SaaS service which
>>> covers multiple industry verticals and tech stacks globally.
>>> Both app layer CVE (known vulns) and coding issues (sqli, Xss etc etc).
>>> We have this to donate to the statistical model when required.
>>> Eoin Keary
>>> OWASP Volunteer
>>> On 26 Jun 2015, at 12:01, Timo Goosen <timo.goosen at owasp.org> wrote:
>>> This is one of the most well know OWASP projects that I can think of.
>>> The OWASP top ten only has a top ten for 2013, but not for 2013 and 2014.
>>> This project is a flagship project, but I feel the project needs to bring
>>> out some new content considering that this is one of the most well known
>>> OWASP projects and also because the world of infosec moves really fast and
>>> two years is a life time in our field.
>>> I don't have much say in this project but I'd like to see a Top ten for
>>> 2015, with research to back up the statistics. If the people on the project
>>> don't have time to come up with this info then I suggest we create a budget
>>> and request funding for someone to put time into this.
>>> Would like your thoughts on the matter.
>>> You received this message because you are subscribed to the Google
>>> Groups "OWASP Projects Task Force" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to projects-task-force+unsubscribe at owasp.org.
>>> To post to this group, send email to projects-task-force at owasp.org.
>>> To view this discussion on the web visit
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders