[Owasp-leaders] OWASP Summit - Day 2 Outcomes

Kenneth R. van Wyk ken at krvw.com
Wed Jun 14 11:25:11 UTC 2017


Thanks for keeping us posted on these outcomes, Andrew. Much appreciated!

Cheers,

Ken van Wyk


> On Jun 13, 2017, at 10:07 AM, Andrew van der Stock <vanderaj at owasp.org> wrote:
> 
> Session #1  Data Weighting
> 
> This was a great session, where we agreed on what's staying and the "why" weighting and normalization.
> 
> There will be a second data call, ending on August 25. If you can provide data in the same format as found here (https://github.com/OWASP/Top10/blob/master/2017/datacall/OWASP%20Top%2010%20-%202017%20Data%20Call-Public%20Release.xlsx <https://github.com/OWASP/Top10/blob/master/2017/datacall/OWASP%20Top%2010%20-%202017%20Data%20Call-Public%20Release.xlsx>), that would be great. We are looking for large and small data sets - tool or human driven, we want it all. We will get that out widely once I have a a chance to talk it over with Foundation Staff. I will reach out to those who have volunteered recently, but there will be a widespread and coordinated social media blitz once we're ready to do it. I want this to be a trial run for the OWASP Top 10 2020 data collection so we can learn from it as well.
> 
> Secondly, I will work with Brian Glas to define a set of 5-10 "on the cusp" / forward looking inclusions and let the community decide the fate of A7 / A10. Depending on the risk rating of the issues that are likely to be considered (XXE, Serialization, etc) may mean A7 and A10 move around a bit.
> 
> Thirdly, I will work with Brian Glas and others to help define not only the final weighting for 2017, but some interesting questions for the 2020 data call, so basically, what could be done better for next time. We have agreed in this session, it's too late to change the data collection as we've already collected a lot of data.
> 
> Lastly, we have decided on a final date for the next release of the OWASP Top 10 2017 - late November, probably just before Thanksgiving. I will try to get it out the week before. This drives various dates before then. We are looking for a relatively final release candidate in October to make sure that the data has had time to be analysed and included.
> 
> We are keeping 8 (A1, A2, A3, A4, A5, A6, A8, A9) - consensus view
> Data call open immediately to August 25
> Data format is to be the same for the 2017 data call for any additional data
> Get enough data for repeatable data calls in later years
> In conjunction, survey community to develop the two forward looking items, also August 25
> Compile a survey by June 30 (Brian Glas / AJV + anyone),
> November 25, 2017
> 
> 
> Session #2 Review of A7 (and A10)
> 
> Dave took us through how A7 and A10 came to be, and honestly, after initial skepticism, this one really grew on me. The number of times I've performed a full throttle pen test and the client hasn't detected me or even noticed I'm now an admin with all the data is a bit worrying, so I think as we've decided that up to two forward looking issues are to be reserved per edition, I am actually pretty okay with this issue now. However, we are still going to do the data call and it might still miss out or be made into a lower priority. We will see.
> 
> I added in all of the feedback that Dave had. If any feedback is missing, please log it to Github.
> 
> Agreed outcomes
> Rename the section to Insufficient Attack Preparation or Insufficient detection and response
> Ensure that products and services are OWASP aligned, e.g. Name OWASP projects and remove commercial offerings
> This is an "app" problem, helps dev and ops to work together, and should encourage. Nothing about ops in it, first devops issue. Might add more to existing text to make it more aligned with the devops movement
> 
> Still in the air:
> Dave suggests we release an intermediate RC2 this month, RC3 later in the year and document that process and dates
> AJV notes he is moving countries and may not achieve this in June. AJV wants to do weekly releases or just track master on Github.
> I will make a decision on this depending on how much I have on my plate. I have to be realistic here as much as I want the issues documented in Github taken care of
> 
> Torsten suggested we use a Top 10 for Developers (). I will follow up with him to find this and also to think about OWASP Top 10 for Defenders to complement OWASP Proactive Controls / OWASP Top 10 Risks. This is not decided or an agreed outcome.
> 
> Review of the OWASP Top 10 RC1
> 
> If you want to spend time reviewing the current draft, please do so, and provide feedback here:
> 
> https://github.com/OWASP/Top10/issues <https://github.com/OWASP/Top10/issues>
> 
> Please only one issue per area (i.e. "F" or "A3"), with the format of "what is wrong", "argument or data that backs your change", and "proposed change". If it's just a small typo, spelling error, or minor edit, no argument data is required.
> 
> 
> End of the OWASP Top 10 track
> 
> The rest of the week is free time. Thank you to everyone who participated in person and remotely. We had a few audio issues, but once video was dropped it came good.
> 
> We have made it to a point where action items need to be done by me and Brian Glas on the data call and editing the issues in Github. I don't want to waste folks time especially as there are so many great sessions on is for the attendees aiming to attend OWASP Top 10 tracks to find other tracks to learn more about the other great projects and initiatives at OWASP.
> 
> 
> Contacting me
> 
> I am moving countries, but I will try to make myself available. I'm obviously available here via e-mail and Hangouts, but also on Skype (vanderaj), on Twitter (@vanderaj). I do maintain a somewhat active presence on Google+ but I know few of you do. +Andrew van der Stock. I'd give my cell number, but it's got about 6 days to live, so yeah, nah.
> 
> thanks,
> Andrew
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170614/77272ee8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170614/77272ee8/attachment-0001.pgp>


More information about the OWASP-Leaders mailing list