[Owasp-leaders] Released: OWASP Top 10 – 2017 Release Candidate

Neil Smithline neil.smithline at owasp.org
Thu Apr 27 13:38:14 UTC 2017


Perhaps I'm confused, but my recollection of the process is that there was
a call for data
<http://lists.owasp.org/pipermail/owasp-leaders/2016-May/016625.html> for
the T10 that was sent out May 21, _2016_. The deadline for responses was
July 2016. Some vendors replied, others didn't.

Neil Smithline


On Wed, Apr 26, 2017 at 5:46 PM, Thomas Ryan <tom.ryan at providesecurity.com>
wrote:

> Hi Norm,
>
>
>
> I whole heartedly believe in vendor neutrality. The reason why I brought
> up vendor names (Fortify, IBM, CheckMarx, etc) is because of the massive
> datasets they have. I’m sure we can have an additional 3-5M Data points
> added if we got more companies and a representative from each involved.
>
> How are we supposed to say this is a TOP 10 with the equivalent dataset of
> one large bank (53K)? Not to mention the complexity of the different way
> datasets are derived, including taking into account the limitations of each
> data set?
>
>
>
> Once we have a broad enough dataset (much larger then 53K) , we reach out
> to Joan Goodchild of CSO, and Kelly Jackson Higgins of Dark Reading for
> publication about OWASP TOP 10 Open For Comment By Industry Leaders (Not
> OWASP)
>
> I think that would be powerful Information to have. Thoughts?
>
>
>
> Have an amazing day!
>
>
>
> Thomas Ryan
>
> https://www.linkedin.com/in/tommyryan/
>
>
>
>
>
> *From:* Norman Yue [mailto:norman.yue at owasp.org]
> *Sent:* Wednesday, April 26, 2017 3:23 AM
> *To:* Thomas Ryan <tom.ryan at providesecurity.com>
> *Cc:* Dinis Cruz <dinis.cruz at owasp.org>; Dave Wichers <
> dave.wichers at owasp.org>; OWASP Leaders <owasp-leaders at lists.owasp.org>;
> OWASP TopTen <owasp-topten at lists.owasp.org>
>
> *Subject:* Re: [Owasp-leaders] Released: OWASP Top 10 – 2017 Release
> Candidate
>
>
>
> Hey folks,
>
>
>
> I'd like to echo Tom's comment - vendor neutrally, I don't think this is
> even about which vendors get to contribute data and drive the development
> of what is widely considered a vendor-neutral best practice standard.
> Actually, let's meditate on that for a second before we proceed: this isn't
> a game, this is a discussion regarding industry best practice.
>
>
>
> Given the scope and potential impact of the OWASP Top Ten, and it's
> reflection on OWASP as a group, I think it is absolutely crucial that this
> in particular gets discussed openly, and those who have something to
> participate can, and this is broadly endorsed by OWASP as a community,
> instead of the ongoing dissension happening now.
>
>
>
> May I recommend setting up something like a Google Hangouts meeting for
> people to both voice their feedback, as well as for the *relevant top-ten
> working group to work with the community to decide something mutually
> workable. *(is the working group open to this?)
>
>
>
> Have a grand and glorious day,
>
>
>
>
>
> Norm
>
>
>
>
>
> On Wed, Apr 26, 2017 at 11:09 AM, Thomas Ryan <
> tom.ryan at providesecurity.com> wrote:
>
> Hi Dinis,
>
>
>
> How can people participate remotely? One of the biggest questions asked
> from my customers, why was Fortify/WebInspect, IBM and CheckMarx left out
> participating and sharing data?
>
> In the sense of transparency, I work for HPE Fortify.
>
>
>
> When my customers asked, I reached out to my Product Management and
> Research Team and they said no one was asked to share data or participate.
>
> I then reached out to friends at IBM and CHeckMarx and they said the
> same.  Is there a reason why 3 of the 4 Leaders were left out from
> Participating?
>
>
>
> Thanks for all your great work!
>
>
>
> Tom Ryan
>
>
>
>
>
>
>
> *From:* owasp-leaders-bounces+tom.ryan=providesecurity.com at lists.owasp.org
> [mailto:owasp-leaders-bounces+tom.ryan=providesecurity.com at lists.owasp.org]
> *On Behalf Of *Dinis Cruz
> *Sent:* Tuesday, April 25, 2017 8:29 PM
> *To:* Dave Wichers <dave.wichers at owasp.org>
> *Cc:* OWASP Leaders <owasp-leaders at lists.owasp.org>; OWASP TopTen <
> owasp-topten at lists.owasp.org>
> *Subject:* Re: [Owasp-leaders] Released: OWASP Top 10 – 2017 Release
> Candidate
>
>
>
> Hi, given the recent debates about the changes made on this new version of
> the OWASP Top 10, the next OWASP Summit 2017 will host a Working Session to
> allow for further collaboration and debate.
>
>
>
> Please take a look at http://owaspsummit.org/Working-Sessions/Project-
> Summit/Owasp-Top-10-2017.html and add/change it accordingly (btw, you can
> now register as participant, and, if you want to help organising it, please
> we need an organiser for this Working Session)
>
>
>
> Here is a first pass at the topics to cover:
>
>
>
> What do you think?
>
>
>
> [image: Inline images 1]
>
>
>
> Dinis
>
>
>
> On 10 April 2017 at 15:36, Dave Wichers <dave.wichers at owasp.org> wrote:
>
> OWASP Leaders!
>
>
>
> The Release Candidate for the OWASP Top 10 – 2017 is now available!
> (Attached)
>
>
>
> *It’s also available for Download here
> <https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf>*
>
>
>
> Please forward to all the developers and development teams you know!! I’d
> love to get feedback from them too, and to start immediately raising
> awareness about what’s changed in this update to the OWASP Top 10. The
> primary change is the addition of two new categories:
>
>
>
> *2017-A7: Insufficient Attack Protection*
>
> *2017-A10: Underprotected APIs*
>
>
>
> We plan to release the final version of the OWASP Top 10 - 2017 in July
> or Aug. 2017 after a public comment period ending June 30, 2017.
>
>
>
> Constructive comments on this OWASP Top 10 - 2017 Release Candidate should
> be forwarded via email to OWASP-TopTen at lists.owasp.org. Private comments
> may be sent to dave.wichers at owasp.org .  Anonymous comments are welcome.
> All  non-private comments will be catalogued and published at the same time
> as the final public release.  Comments recommending changes to the items
> listed in the Top 10 should include a complete suggested list of changes,
> along with a rationale for any changes. All comments should indicate the
> specific relevant page and section.
>
>
>
> Your feedback is critical to the continued success of the OWASP Top 10 Project.
> Thank you all for your dedication to improving the security of the world’s
> software for everyone.
>
>
>
> Thanks, Dave
>
>
>
> OWASP Top 10 Project Lead
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170427/8838b942/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 58990 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170427/8838b942/attachment-0001.png>


More information about the OWASP-Leaders mailing list