[Owasp-leaders] OWASP Top 2017 - Data Call

Dave Wichers dave.wichers at owasp.org
Thu Jun 23 18:47:10 UTC 2016

We have 21 submissions so far, but half of them do not look valid. I have
to go through and triage then. And yes, I did receive your submission Eoin.

One of the questions in the survey is about the geography of the apps being
reported. Are you asking if we are going to produce different top 10s for
different geographies? Doubtful. I included that question because I think
the survey inputs will get data mined and that info might be useful to
other researchers when we make all the submissions available.


On Thu, Jun 23, 2016 at 1:39 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Dave,
> How many submissions do we have. Did you receive our submission?
> Can we order submissions based on geography also?
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
> On 22 May 2016, at 19:57, Dave Wichers <dave.wichers at owasp.org> wrote:
> Don't know. No one ever has before. Everyone who has contributed
> previously has wanted to be associated with their contribution and last
> time we got all the contributors to also self publish their own data.
> What's different this time is a) We are making a public call for data, and
> b) WE plan to publish the data contributed in a standardized format. We
> would hope/expect that all our previous contributors would be happy to have
> it published this way instead and that others would as well.
> If someone REALLY wants to contribute, but anonymously, have them contact
> us and we'll see if we can work something out. We'd be interested in the
> compelling reason why it needs to be anonymous, and if the data itself will
> still be published. Part of the reason for it not being anonymously
> contributed is to help vet the quality of the data (i.e., make sure its
> from a reputable source).
> -Dave
> p.s. I think there are some that want to contribute (possibly anonymously)
> attack (prevalence) data. That is a different kind of contribution (not
> what we are asking for in the data call). If people want to contribute in
> that way just contact us directly and we'll work that out too.
> On Sun, May 22, 2016 at 1:09 PM, Jonathan Carter <
> jonathan.carter at owasp.org> wrote:
>> Is there a way for organizations to participate with anonymity?
>> On May 21, 2016, at 5:09 PM, Dave Wichers <dave.wichers at owasp.org> wrote:
>> Tom Brennan reasonably asked for the questions to be made public to make
>> it easier for organizations to prepare their submission. I've posted all
>> the questions here as well:
>> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_-_2016_Data_Call_Questions
>> -Dave
>> On Fri, May 20, 2016 at 10:31 PM, <dave.wichers at owasp.org> wrote:
>>> The OWASP Top 10 project is launching its effort to update the Top 10
>>> again. The current version was released in 2013, and so this update is
>>> expected to be the 2016 or more likely 2017 release. This time around, we
>>> are making an open data call so anyone with application vulnerability
>>> statistics can contribute their data to the project. To make it easier for
>>> the project to consume this contributed data, we are requesting it be
>>> provided via this Google form.
>>> DEADLINE: Data must be submitted by July 20, 2016.
>>> As an OWASP project, we strive to make everything about every project as
>>> open as possible. For this release of the Top 10, we are going to publish
>>> all the contributed data so that anyone can review it to understand what
>>> input was considered to produce this update, and for other uses as well. We
>>> could imagine other groups/projects making use of this data for other
>>> reasons, so we believe publishing this data will have multiple benefits.
>>> WARNING: You acknowledge that by contributing data to this update of the
>>> Top 10, that you authorize its publication. DO NOT CONTRIBUTE anything you
>>> don’t want to become public.
>>> Guidance on what data we are looking for:
>>> We are looking for web application vulnerability statistics collected by
>>> your organization:
>>> • In web applications you assessed.
>>> • During the years 2014, 2015, or both.
>>> • These vulnerabilities can be in the code itself, the libraries the
>>> applications use, or in the configuration of the environment the
>>> applications run in.
>>> We are NOT interested in OS, or network level vulnerabilities. We ARE
>>> interested in vulnerabilities in any SQL code running in any databases that
>>> back the applications being assessed and the database accounts used to run
>>> this code, but are generally NOT interested in security issues in the
>>> configuration of the database server itself.
>>> Use your best judgment here to try to keep the data submitted relevant
>>> to the project. If you have a question or aren’t sure, just ask us for
>>> clarification.
>>> There are 5 pages of questions, most of which are very short. The long
>>> one is page 4, which asks for all the vulnerability statistics. If you
>>> prefer, you can send your answers to the questions on page 4 via email to
>>> dave.wichers at owasp.org but please submit the rest of your input via
>>> this Google form.
>>> I've invited you to fill out the form *OWASP Top 10 - 2016 Data Call*.
>>> To fill it out, visit:
>>> https://docs.google.com/forms/d/1sBMHN5nBicjr5xSo04xkdP5JlCnXFcKFCgEHjwPGuLw/viewform?c=0&w=1&usp=mail_form_link
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160623/ec40da11/attachment.html>

More information about the OWASP-Leaders mailing list