[Owasp-leaders] Released: OWASP Top 10 – 2017 Release Candidate

Neil Smithline neil.smithline at owasp.org
Thu Apr 27 14:37:19 UTC 2017


I didn't mean to imply that that was the only place where the call for data
was posted. It was also sent to the OWASP Top Ten list
<http://lists.owasp.org/pipermail/owasp-topten/2016-May/001343.html>. And
perhaps elsewhere.

<http://lists.owasp.org/pipermail/owasp-topten/2016-May/001343.html>
On Thu, Apr 27, 2017, 09:57 Tony Turner <tony.turner at owasp.org> wrote:

> The OWASP Leaders list is not the only place that a standard such as T10
> should be requesting data. The impact is too broad. It needs to be
> communicated to a larger audience.
>
> On Thu, Apr 27, 2017 at 9:46 AM, Neil Smithline <neil.smithline at owasp.org>
> wrote:
>
>> My recollection of the process is that there was a call for data
>> <http://lists.owasp.org/pipermail/owasp-leaders/2016-May/016625.html> for
>> the T10 that was sent out May 21, _2016_. The deadline for responses was
>> July 2016. Some vendors replied, others didn't.
>>
>> Neil
>>
>> [My first email bounced due to length so I had to trim the replies and
>> resend. Sorry if you got a duplicate.]
>>
>> On Wed, Apr 26, 2017 at 5:46 PM, Thomas Ryan <
>> tom.ryan at providesecurity.com> wrote:
>>
>>> Hi Norm,
>>>
>>>
>>>
>>> I whole heartedly believe in vendor neutrality. The reason why I brought
>>> up vendor names (Fortify, IBM, CheckMarx, etc) is because of the massive
>>> datasets they have. I’m sure we can have an additional 3-5M Data points
>>> added if we got more companies and a representative from each involved.
>>>
>>> How are we supposed to say this is a TOP 10 with the equivalent dataset
>>> of one large bank (53K)? Not to mention the complexity of the different way
>>> datasets are derived, including taking into account the limitations of each
>>> data set?
>>>
>>>
>>>
>>> Once we have a broad enough dataset (much larger then 53K) , we reach
>>> out to Joan Goodchild of CSO, and Kelly Jackson Higgins of Dark Reading for
>>> publication about OWASP TOP 10 Open For Comment By Industry Leaders (Not
>>> OWASP)
>>>
>>> I think that would be powerful Information to have. Thoughts?
>>>
>>>
>>>
>>> Have an amazing day!
>>>
>>>
>>>
>>> Thomas Ryan
>>>
>>> https://www.linkedin.com/in/tommyryan/
>>>
>>>
>>>
>>>
>>>
>>> *From:* Norman Yue [mailto:norman.yue at owasp.org]
>>> *Sent:* Wednesday, April 26, 2017 3:23 AM
>>> *To:* Thomas Ryan <tom.ryan at providesecurity.com>
>>> *Cc:* Dinis Cruz <dinis.cruz at owasp.org>; Dave Wichers <
>>> dave.wichers at owasp.org>; OWASP Leaders <owasp-leaders at lists.owasp.org>;
>>> OWASP TopTen <owasp-topten at lists.owasp.org>
>>>
>>> *Subject:* Re: [Owasp-leaders] Released: OWASP Top 10 – 2017 Release
>>> Candidate
>>>
>>>
>>>
>>> Hey folks,
>>>
>>>
>>>
>>> I'd like to echo Tom's comment - vendor neutrally, I don't think this is
>>> even about which vendors get to contribute data and drive the development
>>> of what is widely considered a vendor-neutral best practice standard.
>>> Actually, let's meditate on that for a second before we proceed: this isn't
>>> a game, this is a discussion regarding industry best practice.
>>>
>>>
>>>
>>> Given the scope and potential impact of the OWASP Top Ten, and it's
>>> reflection on OWASP as a group, I think it is absolutely crucial that this
>>> in particular gets discussed openly, and those who have something to
>>> participate can, and this is broadly endorsed by OWASP as a community,
>>> instead of the ongoing dissension happening now.
>>>
>>>
>>>
>>> May I recommend setting up something like a Google Hangouts meeting for
>>> people to both voice their feedback, as well as for the *relevant
>>> top-ten working group to work with the community to decide something
>>> mutually workable. *(is the working group open to this?)
>>>
>>>
>>>
>>> Have a grand and glorious day,
>>>
>>>
>>>
>>>
>>>
>>> Norm
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Apr 26, 2017 at 11:09 AM, Thomas Ryan <
>>> tom.ryan at providesecurity.com> wrote:
>>>
>>> Hi Dinis,
>>>
>>>
>>>
>>> How can people participate remotely? One of the biggest questions asked
>>> from my customers, why was Fortify/WebInspect, IBM and CheckMarx left out
>>> participating and sharing data?
>>>
>>> In the sense of transparency, I work for HPE Fortify.
>>>
>>>
>>>
>>> When my customers asked, I reached out to my Product Management and
>>> Research Team and they said no one was asked to share data or participate.
>>>
>>> I then reached out to friends at IBM and CHeckMarx and they said the
>>> same.  Is there a reason why 3 of the 4 Leaders were left out from
>>> Participating?
>>>
>>>
>>>
>>> Thanks for all your great work!
>>>
>>>
>>>
>>> Tom Ryan
>>>
>>>
>>>
>>>
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> WAFEC Project Leader
> STING Game Project Leader
> tony.turner at owasp.org
> https://www.owasp.org/index.php/Orlando
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170427/3c3ef230/attachment.html>


More information about the OWASP-Leaders mailing list