[Owasp-leaders] Released: OWASP Top 10 – 2017 Release Candidate

Thomas Ryan tom.ryan at providesecurity.com
Wed Apr 26 21:46:23 UTC 2017

Hi Norm,

I whole heartedly believe in vendor neutrality. The reason why I brought up vendor names (Fortify, IBM, CheckMarx, etc) is because of the massive datasets they have. I’m sure we can have an additional 3-5M Data points added if we got more companies and a representative from each involved.
How are we supposed to say this is a TOP 10 with the equivalent dataset of one large bank (53K)? Not to mention the complexity of the different way datasets are derived, including taking into account the limitations of each data set?

Once we have a broad enough dataset (much larger then 53K) , we reach out to Joan Goodchild of CSO, and Kelly Jackson Higgins of Dark Reading for publication about OWASP TOP 10 Open For Comment By Industry Leaders (Not OWASP)
I think that would be powerful Information to have. Thoughts?

Have an amazing day!

Thomas Ryan

From: Norman Yue [mailto:norman.yue at owasp.org]
Sent: Wednesday, April 26, 2017 3:23 AM
To: Thomas Ryan <tom.ryan at providesecurity.com>
Cc: Dinis Cruz <dinis.cruz at owasp.org>; Dave Wichers <dave.wichers at owasp.org>; OWASP Leaders <owasp-leaders at lists.owasp.org>; OWASP TopTen <owasp-topten at lists.owasp.org>
Subject: Re: [Owasp-leaders] Released: OWASP Top 10 – 2017 Release Candidate

Hey folks,

I'd like to echo Tom's comment - vendor neutrally, I don't think this is even about which vendors get to contribute data and drive the development of what is widely considered a vendor-neutral best practice standard. Actually, let's meditate on that for a second before we proceed: this isn't a game, this is a discussion regarding industry best practice.

Given the scope and potential impact of the OWASP Top Ten, and it's reflection on OWASP as a group, I think it is absolutely crucial that this in particular gets discussed openly, and those who have something to participate can, and this is broadly endorsed by OWASP as a community, instead of the ongoing dissension happening now.

May I recommend setting up something like a Google Hangouts meeting for people to both voice their feedback, as well as for the relevant top-ten working group to work with the community to decide something mutually workable. (is the working group open to this?)

Have a grand and glorious day,


On Wed, Apr 26, 2017 at 11:09 AM, Thomas Ryan <tom.ryan at providesecurity.com<mailto:tom.ryan at providesecurity.com>> wrote:
Hi Dinis,

How can people participate remotely? One of the biggest questions asked from my customers, why was Fortify/WebInspect, IBM and CheckMarx left out participating and sharing data?
In the sense of transparency, I work for HPE Fortify.

When my customers asked, I reached out to my Product Management and Research Team and they said no one was asked to share data or participate.
I then reached out to friends at IBM and CHeckMarx and they said the same.  Is there a reason why 3 of the 4 Leaders were left out from Participating?

Thanks for all your great work!

Tom Ryan

From: owasp-leaders-bounces+tom.ryan=providesecurity.com at lists.owasp.org<mailto:providesecurity.com at lists.owasp.org> [mailto:owasp-leaders-bounces+tom.ryan<mailto:owasp-leaders-bounces%2Btom.ryan>=providesecurity.com at lists.owasp.org<mailto:providesecurity.com at lists.owasp.org>] On Behalf Of Dinis Cruz
Sent: Tuesday, April 25, 2017 8:29 PM
To: Dave Wichers <dave.wichers at owasp.org<mailto:dave.wichers at owasp.org>>
Cc: OWASP Leaders <owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>>; OWASP TopTen <owasp-topten at lists.owasp.org<mailto:owasp-topten at lists.owasp.org>>
Subject: Re: [Owasp-leaders] Released: OWASP Top 10 – 2017 Release Candidate

Hi, given the recent debates about the changes made on this new version of the OWASP Top 10, the next OWASP Summit 2017 will host a Working Session to allow for further collaboration and debate.

Please take a look at http://owaspsummit.org/Working-Sessions/Project-Summit/Owasp-Top-10-2017.html and add/change it accordingly (btw, you can now register as participant, and, if you want to help organising it, please we need an organiser for this Working Session)

Here is a first pass at the topics to cover:

What do you think?

[Inline images 1]


On 10 April 2017 at 15:36, Dave Wichers <dave.wichers at owasp.org<mailto:dave.wichers at owasp.org>> wrote:

OWASP Leaders!

The Release Candidate for the OWASP Top 10 – 2017 is now available! (Attached)

It’s also available for Download here<https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf>

Please forward to all the developers and development teams you know!! I’d love to get feedback from them too, and to start immediately raising awareness about what’s changed in this update to the OWASP Top 10. The primary change is the addition of two new categories:

2017-A7: Insufficient Attack Protection

2017-A10: Underprotected APIs

We plan to release the final version of the OWASP Top 10 - 2017 in July or Aug. 2017 after a public comment period ending June 30, 2017.

Constructive comments on this OWASP Top 10 - 2017 Release Candidate should be forwarded via email to OWASP-TopTen at lists.owasp.org<mailto:OWASP-TopTen at lists.owasp.org>. Private comments may be sent to dave.wichers at owasp.org<mailto:dave.wichers at owasp.org> .  Anonymous comments are welcome.  All  non-private comments will be catalogued and published at the same time as the final public release.  Comments recommending changes to the items listed in the Top 10 should include a complete suggested list of changes, along with a rationale for any changes. All comments should indicate the specific relevant page and section.

Your feedback is critical to the continued success of the OWASP Top 10 Project. Thank you all for your dedication to improving the security of the world’s software for everyone.

Thanks, Dave

OWASP Top 10 Project Lead

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170426/75faaef2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 58990 bytes
Desc: image001.png
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170426/75faaef2/attachment-0001.png>

More information about the OWASP-Leaders mailing list