[Owasp-leaders] Released: OWASP Top 10 – 2017 Release Candidate

Steve Springett Steve.Springett at owasp.org
Mon Jun 5 20:57:37 UTC 2017


Dave,

Not to hijack this thread, but I do want to voice one point (without
getting into a debate over A7 and A10). No reply necessary, just my two
cents.


IMO, the open data call is problematic. Imagine that an open data call
existed in the medical community, but the only respondents were a
particular race, income bracket, or locality. The data would be inherently
biased and not reflective of the population as a whole. If the intent of
the study is to target a specific demographic, then this approach may work
fine. But the Top Ten representatives such a diverse spectrum of software
that a broad dataset is required. If the dataset cannot be obtained, then
the study would likely be postponed until data that represents the greater
population could be obtained.

I will say that the Contrast Security user will vary dramatically from the
Fortify user in what things they care about and why. Same thing for
Veracode and Fortify. As a long time Fortify user, occasional Veracode
user, and up until the Contrast scandal, a potential  IAST candidate, the
justification for each of these tools in my org are coming from radically
different places.

—Steve





On June 5, 2017 at 1:51:45 PM, Dave Wichers (dave.wichers at owasp.org) wrote:

Hey Tom!

The T10 team directly reached out to all of those that submitted to the
2013 release, which included HP Fortify. I corresponded with them directly
and they apologized for not having the time to gather together and submit
their data for this release. I spoke with Jason Schmitt and Alex Hoole at
HP.

We did not directly reach out to anyone else, but instead relied on the
open data call that went out to the OWASP all and Top 10 mailing lists and
via twitter along with lots of retweets. As such, I believe anyone that
cared had ample time to submit their data.

-Dave




On Tue, Apr 25, 2017 at 9:09 PM, Thomas Ryan <tom.ryan at providesecurity.com>
wrote:

> Hi Dinis,
>
>
>
> How can people participate remotely? One of the biggest questions asked
> from my customers, why was Fortify/WebInspect, IBM and CheckMarx left out
> participating and sharing data?
>
> In the sense of transparency, I work for HPE Fortify.
>
>
>
> When my customers asked, I reached out to my Product Management and
> Research Team and they said no one was asked to share data or participate.
>
> I then reached out to friends at IBM and CHeckMarx and they said the
> same.  Is there a reason why 3 of the 4 Leaders were left out from
> Participating?
>
>
>
> Thanks for all your great work!
>
>
>
> Tom Ryan
>
>
>
>
>
>
>
> *From:* owasp-leaders-bounces+tom.ryan=providesecurity.com at lists.owasp.org
> [mailto:owasp-leaders-bounces+tom.ryan=providesecurity.com at lists.owasp.org]
> *On Behalf Of* Dinis Cruz
> *Sent:* Tuesday, April 25, 2017 8:29 PM
> *To:* Dave Wichers <dave.wichers at owasp.org>
> *Cc:* OWASP Leaders <owasp-leaders at lists.owasp.org>; OWASP TopTen <
> owasp-topten at lists.owasp.org>
> *Subject:* Re: [Owasp-leaders] Released: OWASP Top 10 – 2017 Release
> Candidate
>
>
>
> Hi, given the recent debates about the changes made on this new version of
> the OWASP Top 10, the next OWASP Summit 2017 will host a Working Session to
> allow for further collaboration and debate.
>
>
>
> Please take a look at http://owaspsummit.org/Working-Sessions/Project-
> Summit/Owasp-Top-10-2017.html and add/change it accordingly (btw, you can
> now register as participant, and, if you want to help organising it, please
> we need an organiser for this Working Session)
>
>
>
> Here is a first pass at the topics to cover:
>
>
>
> What do you think?
>
>
>
> [image: Inline images 1]
>
>
>
> Dinis
>
>
>
> On 10 April 2017 at 15:36, Dave Wichers <dave.wichers at owasp.org> wrote:
>
> OWASP Leaders!
>
>
>
> The Release Candidate for the OWASP Top 10 – 2017 is now available!
> (Attached)
>
>
>
> * It’s also available for Download here
> <https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf>*
>
>
>
> Please forward to all the developers and development teams you know!! I’d
> love to get feedback from them too, and to start immediately raising
> awareness about what’s changed in this update to the OWASP Top 10. The
> primary change is the addition of two new categories:
>
>
>
> *2017-A7: Insufficient Attack Protection*
>
> *2017-A10: Underprotected APIs*
>
>
>
> We plan to release the final version of the OWASP Top 10 - 2017 in July
> or Aug. 2017 after a public comment period ending June 30, 2017.
>
>
>
> Constructive comments on this OWASP Top 10 - 2017 Release Candidate should
> be forwarded via email to OWASP-TopTen at lists.owasp.org. Private comments
> may be sent to dave.wichers at owasp.org .  Anonymous comments are welcome.
> All  non-private comments will be catalogued and published at the same time
> as the final public release.  Comments recommending changes to the items
> listed in the Top 10 should include a complete suggested list of changes,
> along with a rationale for any changes. All comments should indicate the
> specific relevant page and section.
>
>
>
> Your feedback is critical to the continued success of the OWASP Top 10 Project.
> Thank you all for your dedication to improving the security of the world’s
> software for everyone.
>
>
>
> Thanks, Dave
>
>
>
> OWASP Top 10 Project Lead
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170605/682cde4f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png at 01D2BE08.35D08700
Type: application/octet-stream
Size: 58990 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170605/682cde4f/attachment-0001.obj>


More information about the OWASP-Leaders mailing list