<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="&#1;" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle21
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EmailStyle22
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle23
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle24
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Yes, you do look at composition, but you <u>consider</u> impact, which is why the top ten risks work. Not disagreeing on the framework manifesto use, b/c I do think that there should be a degree of relativism in security instead of having the variables defined for you as a company in terms of what risk is.  The problem is that most may take the OWASP Top Ten as an absolute form, w/o considering that other types of labels or labels within that list come in a different order – for them.  But is this a problem with the Top Ten (as an example, or sub in anything else here) or a problem with its understood use and applicability and can we really do anything related to that. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Still like the data.gov security data warehouse where data mash-ups can take place. Think that some defined set of top ten like guidance is applicable in addition to the flexibility of consumers using that information to define their own comparative baseline.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;color:#1F497D'>Tony UcedaVelez, CISM, CISA, GSEC</span><span style='font-size:10.0pt;color:black'><o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;color:black'>Chapter Lead<o:p></o:p></span></b></p><p class=MsoNormal><b><span style='font-size:10.0pt;color:#548DD4'>OWASP Atlanta<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;color:#548DD4'>http://www.owasp.org/index.php/Atlanta_Georgia<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;color:#548DD4'>Twitter: <i>@versprite</i><o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> owasp-leaders-bounces@lists.owasp.org [mailto:owasp-leaders-bounces@lists.owasp.org] <b>On Behalf Of </b>James McGovern<br><b>Sent:</b> Tuesday, November 30, 2010 11:09 AM<br><b>To:</b> owasp-leaders@lists.owasp.org<br><b>Subject:</b> Re: [Owasp-leaders] Metrics<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><span style='color:#1F497D'>I think I am saying that the label used shouldn’t be the OWASP Top Ten but should be the contents of the Web Application Security Framework Manifesto. When you look at food, you look at its composition, not its impact. For example, you would see things like sugar (ingredient) but you wouldn’t see things like diabetes (outcome if you consume too much of an ingredient). The Top Ten are things that can occur either when ingredients are missing (input validation) or are defective (e.g. broken auth models)<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Nowadays, if you walk into a grocery store such as Whole Paycheck, Big Y, Stop &amp; Shop, etc you will see that they also provided a methodology that translates heath into a single number where the scale is 1 (bad) to 100 (good). A consumer needs to be able to tell that eating a banana is more healthy than eating a whole box of Little Debbie’s Oatmeal Cream Pies (my favorite food). <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Anyway, I think what I am noodling is the value of OWASP creating a data warehouse along the lines of data.gov where &lt;&lt;consumers&gt;&gt; can mine security data and form their own conclusions…<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><p class=MsoNormal><b><span style='font-size:10.0pt;color:gray'>James McGovern<br></span></b><span style='font-size:10.0pt;color:gray'>Insurance SBU <o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;color:gray'>Virtusa </span></b><b><span style='font-size:10.0pt;color:#7F7F7F'>Corporation</span></b><b><span style='font-size:10.0pt;color:gray'><o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;color:gray'>100 Northfield Drive, Suite 305 | Windsor, CT | 06095<o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;color:#7F7F7F'>Phone:&nbsp; </span></b><span style='font-size:10.0pt;color:gray'>860 688 9900</span><span style='font-size:10.0pt;color:#7F7F7F'> <b>Ext:&nbsp; </b></span><span style='font-size:10.0pt;color:gray'>1037</span><span style='font-size:10.0pt;color:#7F7F7F'> | <b>Facsimile:&nbsp; </b></span><span style='font-size:10.0pt;color:gray'>860 688 2890</span><span style='font-size:10.0pt;color:#7F7F7F'> &nbsp;</span><span style='font-size:10.0pt;color:gray'><o:p></o:p></span></p><p class=MsoNormal><a href="http://www.virtusa.com/"><span style='font-size:10.0pt;color:#7F7F7F;text-decoration:none'><img border=0 width=81 height=21 id="Picture_x0020_52" src="cid:image001.jpg@01CB9081.3FD0A390" alt="cid:image011.jpg@01CB08A4.F95CFA30"></span></a><span style='font-size:10.0pt;color:#1F497D'>&nbsp;</span><a href="http://www.virtusa.com/blog/"><span style='color:#1F497D;text-decoration:none'><img border=0 width=22 height=22 id="Picture_x0020_53" src="cid:image002.gif@01CB9081.3FD0A390" alt="cid:image012.gif@01CB08A4.F95CFA30"></span></a><span style='color:#1F497D'> </span><a href="https://twitter.com/VirtusaCorp" target="_blank"><span style='font-size:12.0pt;font-family:"Times New Roman","serif";text-decoration:none'><img border=0 width=22 height=22 id="Picture_x0020_54" src="cid:image003.gif@01CB9081.3FD0A390" alt="cid:image004.gif@01CB08A4.F95CFA30"></span></a><span style='color:#1F497D'>&nbsp;</span><a href="http://www.linkedin.com/companies/virtusa" target="_blank"><span style='font-size:12.0pt;font-family:"Times New Roman","serif";text-decoration:none'><img border=0 width=22 height=22 id="Picture_x0020_55" src="cid:image004.gif@01CB9081.3FD0A390" alt="cid:image005.gif@01CB08A4.F95CFA30"></span></a><span style='color:#1F497D'>&nbsp;</span><a href="http://www.facebook.com/VirtusaCorp" target="_blank"><span style='font-size:12.0pt;font-family:"Times New Roman","serif";text-decoration:none'><img border=0 width=22 height=22 id="Picture_x0020_56" src="cid:image005.gif@01CB9081.3FD0A390" alt="cid:image006.gif@01CB08A4.F95CFA30"></span></a><span style='color:#1F497D'><o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jeff Williams [mailto:jeff.williams@owasp.org] <br><b>Sent:</b> Monday, November 29, 2010 2:36 PM<br><b>To:</b> owasp-leaders@lists.owasp.org<br><b>Cc:</b> James McGovern<br><b>Subject:</b> RE: [Owasp-leaders] Metrics<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><span style='color:#1F497D'>Hi James,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I studied a number of different labeling regimes and presented the results at OWASP AppSec DC 2010.&nbsp; Here are the slides and what I intended to say is in the notes.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><a href="http://www.owasp.org/images/1/17/2010-11_OWASP_Software_Labels.pptx">http://www.owasp.org/images/1/17/2010-11_OWASP_Software_Labels.pptx</a><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>The key finding from my research is that the content of the label doesn’t really matter that much. Even though it seems like the point is to inform the consumer, that doesn’t work very well.&nbsp; Actually what you end up doing is affecting the producers.&nbsp; Which is probably what we wanted to achieve in the first place.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>You can try my “Security Facts” label generating software at:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><a href="https://www.aspectsecurity.com/SecurityFacts">https://www.aspectsecurity.com/SecurityFacts</a><o:p></o:p></span></p><div><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Have fun!<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>--Jeff<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Jeff Williams, Chair<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>The OWASP Foundation<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>work: 410-707-1487<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>main: 301-604-4882<o:p></o:p></span></p></div><table class=MsoNormalTable border=0 cellpadding=0><tr><td style='background:white;padding:.75pt .75pt .75pt .75pt'><pre><span style='color:black'>Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.<o:p></o:p></span></pre><pre><span style='color:black'><o:p>&nbsp;</o:p></span></pre><pre><span style='color:black'>---------------------------------------------------------------------------------------------<o:p></o:p></span></pre><pre><span style='color:black'><o:p>&nbsp;</o:p></span></pre><pre><span style='color:black'>This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.<o:p></o:p></span></pre><pre><span style='color:black'><o:p>&nbsp;</o:p></span></pre><pre><span style='color:black'>---------------------------------------------------------------------------------------------<o:p></o:p></span></pre></td></tr></table><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p>&nbsp;</o:p></span></p></div></body></html>