<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.msolistparagraphcxspfirst, li.msolistparagraphcxspfirst, div.msolistparagraphcxspfirst
        {mso-style-name:msolistparagraphcxspfirst;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        line-height:115%;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.msolistparagraphcxspmiddle, li.msolistparagraphcxspmiddle, div.msolistparagraphcxspmiddle
        {mso-style-name:msolistparagraphcxspmiddle;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        line-height:115%;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.msolistparagraphcxsplast, li.msolistparagraphcxsplast, div.msolistparagraphcxsplast
        {mso-style-name:msolistparagraphcxsplast;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        line-height:115%;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle22
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The only hard numbers currently used are vulnerability stats that help us determine the typical prevalence of these kinds of vulnerabilities.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ryan and others are trying to gather stats related to the prevalence of actual attacks, which right now we haven’t used, so we currently are using our professional opinion. And what we actually need is the prevalence of successful attacks, which is very hard to know/measure.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If you can contribute to their efforts to gather actual attack statistics in some way, that would be great.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Dave<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Tony UV [mailto:tonyuv@owasp.org] <br><b>Sent:</b> Thursday, March 14, 2013 11:53 PM<br><b>To:</b> Dave Wichers; Rory McCune; Ryan Barnett<br><b>Cc:</b> OWASP Leaders; OWASP TopTen<br><b>Subject:</b> RE: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Dave/ Ryan:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>I suppose I should read the methodology on the OWASP Top 10 thread but wanted to inquire about whether what makes up the top 10 is driven on what is actually captured by a range of honeynet projects, vendor products or partnering global MNCs willing to share incident/ alert data in arrears?  If this is the case, then all top 10 issues really reflect a research approach versus a sentiment over what seems to be more prevalent.  I also agree that DoS/ DDoS attacks, particularly across FIs, is extremely prevalent - however this is based upon experience with companies in those fields and not based upon hard numbers.  SO the question is, are hard numbers obtained to support the top ten or are they driven by a conclave of security perceptions?  <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Thoughts?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Tony UV<o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Sent from tablet device - please excuse any typos<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div></div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:0in 0in 0in 0in'><p class=MsoNormal><strong><span style='font-family:"Calibri","sans-serif"'>From:</span></strong><span style='font-family:"Calibri","sans-serif"'> Ryan Barnett <<a href="mailto:ryan.barnett@owasp.org">ryan.barnett@owasp.org</a>><br><strong><span style='font-family:"Calibri","sans-serif"'>Sent:</span></strong> March 14, 2013 2:05 PM<br><strong><span style='font-family:"Calibri","sans-serif"'>To:</span></strong> Dave Wichers <<a href="mailto:dave.wichers@owasp.org">dave.wichers@owasp.org</a>>,Rory McCune <<a href="mailto:rory.mccune@owasp.org">rory.mccune@owasp.org</a>><br><strong><span style='font-family:"Calibri","sans-serif"'>CC:</span></strong> OWASP Leaders <<a href="mailto:owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a>>,OWASP TopTen <<a href="mailto:owasp-topten@lists.owasp.org">owasp-topten@lists.owasp.org</a>><br><strong><span style='font-family:"Calibri","sans-serif"'>Subject:</span></strong> Re: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Dave,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>I agree with all of your points.  Determining the estimated Risk level for DDoS is challenging, especially when you consider the org's vertical market.  As you referenced in your BankInfoSecurity story, Finance verticals are being targeted as part of a multi-pronged attack where DDoS are used as a smoke-screen for AHC transfers.  The attacker us a combination of Banking Trojans client-side with C&C to IRC botnets which can launch DDoS floods.  So the impact of the website downtime will be removed once the attack stops, however the end results is that funds were also stolen.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>I will get with Pawel and see if we can put together a Risk rating estimation for consideration.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>-Ryan<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p></div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From: </span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Dave Wichers <<a href="mailto:dave.wichers@owasp.org" target="_blank">dave.wichers@owasp.org</a>><br><b>Date: </b>Thursday, March 14, 2013 1:52 PM<br><b>To: </b>'Rory McCune' <<a href="mailto:rory.mccune@owasp.org" target="_blank">rory.mccune@owasp.org</a>><br><b>Cc: </b>Ryan Barnett <<a href="mailto:ryan.barnett@owasp.org" target="_blank">ryan.barnett@owasp.org</a>>, 'OWASP Leaders' <<a href="mailto:owasp-leaders@lists.owasp.org" target="_blank">owasp-leaders@lists.owasp.org</a>>, 'OWASP TopTen' <<a href="mailto:owasp-topten@lists.owasp.org" target="_blank">owasp-topten@lists.owasp.org</a>><br><b>Subject: </b>RE: [Owasp-topten] [Owasp-leaders] OWASP Top 10 Methodology<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I was thinking that was one option too. To add DDOS as a serious network level threat to Apps, but have it not directly be in the Top 10.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>But that is also a bit weird and opens up the question ‘Well, what else belongs in that other list?”</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It appears that 20%-25% of the DOS attacks are against the app directly, from the stats Ryan references in his email anyway. So that’s not an inconsequential #. And even if you ignore the network level DOS attacks, that probably still ranks DOS in the Top 5 most common application attacks anyway, possibly in the Top 2-3. Top 5 successful attacks? That’s harder to figure out. And DOS is not a black/white issue. No matter what, an attack slows you down, and so in some sense is somewhat successful no matter what. Does it have a significant impact on the apps users, that to me would be considered a successful attack. Another thing weird about DOS is the benefit of the attack is primarily only during the attack. Once it stops, it doesn’t have much long term impact, whereas stealing sensitive info/credentials has a serious long term impact.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ryan, do you and Pawel, and whoever else is interested want to try to take a shot at calculating the risk of DOS to web apps using the OWASP Top 10 risk rating methodology to see how you think it scores? In terms of prevalence data, app level DOS vulnerabilities are rarely found/reported, but I suspect that’s primarily because people rarely look for them.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Given the prevalence data you’ve been looking at, it looks like DOS would rank at least a Medium. Again, prevalence is likelihood of successful attack in the Top 10 methodology, not just likelihood of attack. But as I just said, the definition of success for a DOS attack is a bit fuzzy. If we said success was the site was effectively unavailable during the attack, then that would clarify the definition of success. Although how long it was unavailable probably merits considering in the definition of success too. I have no idea how many attacks result in the site essentially being unavailable, nor for how long.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Dave</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rory McCune [<a href="mailto:rory.mccune@owasp.org" target="_blank">mailto:rory.mccune@owasp.org</a>] <br><b>Sent:</b> Thursday, March 14, 2013 1:34 PM<br><b>To:</b> Dave Wichers<br><b>Cc:</b> Ryan Barnett; OWASP Leaders; OWASP TopTen<br><b>Subject:</b> Re: [Owasp-topten] [Owasp-leaders] OWASP Top 10 Methodology</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Hi, <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>I'd agree (although without strong data to back that up) that my perception is that most DoS attacks are network level DDoS, primarily due to the ease of putting together (or buying) and using a Botnet.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>I suppose that the challenge is that business look at risks which impact their assets and these days external facing systems tend to be web applications so most threats target them, so they see more threats as being relevant to web applications than are actually in the domain of the application itself.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Is there scope to include an "others" appendix to the Top 10 to put context round why other issues which are related to apps but not primarily protected against at the app level (with this being an example) weren't included. Having said that though it perhaps just moves the problem a little bit and then we'd end up with a huge appendix of things which impact applications..<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Cheers<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Rory<o:p></o:p></span></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>On Thu, Mar 14, 2013 at 4:41 PM, Dave Wichers <<a href="mailto:dave.wichers@owasp.org" target="_blank">dave.wichers@owasp.org</a>> wrote:<o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I definitely agree that there are things that APPS can do to help prevent app level DOS attacks.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>But here’s the issue.  The OWASP Top 10 is about the current biggest risks. And I suspect, but don’t know for sure, that most real world DOS attacks against apps are actually against the apps infrastructure, not the app itself. We need to look into the details of whatever metrics we have access to, to see if that is true.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>So, if the real world attacks are against the infrastructure, then if we add DOS to the Top 10, we should talk about infrastructure defenses, since that’s what is really happening.  We don’t want to add DOS to the Top 10 because its common, and then present a bunch of app level defenses that don’t actually stop the kinds of attacks that are actually occurring.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And adding a bunch of network level defenses against DOS to the OWASP Top 10 feels a little weird. And to others, NOT having DOS in the Top 10 feels a little weird too.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>As I said, this is a tricky issue for the Top 10.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Dave</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rory McCune [mailto:<a href="mailto:rory.mccune@owasp.org" target="_blank">rory.mccune@owasp.org</a>] <br><b>Sent:</b> Thursday, March 14, 2013 12:36 PM<br><b>To:</b> Dave Wichers<br><b>Cc:</b> Ryan Barnett; OWASP Leaders; OWASP TopTen<br><b>Subject:</b> Re: [Owasp-topten] [Owasp-leaders] OWASP Top 10 Methodology</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Hi, <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>I think that there are some things that app. developers /owners could do to address app DoS (although as you say I think that network DDoS is more common).<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>The kind of App DoS I'm thinking of would be where a simple GET or POST request could trigger a computationally expensive transaction on the application database or server. So for example something like a large database query that's triggered by a product search.  Presumably the application has been tested for standard usage patterns but may not have been tested for someone making very large numbers of searches quickly.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>In terms of mitigation, I'd say that there would be a two phase approach.  First would be identification of what transactions/requests caused large processing loads and secondly would be implementing some form of protection, which could take the form of basic rate limiting for a given transaction or perhaps at a more advanced level detecting an unusual usage pattern (i.e. ordinary users browse from the login page through to the search page and then search once, whereas these IPs are hitting the search page repeatedly without any other page visit) and then blocking/limiting those IPs in relation to those transactions.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>The advantage of defending this at the application layer is that there's likely to be more visibility/understanding of what constitutes unusual behavior and also what the high processing requirement transactions are.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Cheers<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Rory<o:p></o:p></span></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>On Thu, Mar 14, 2013 at 4:26 PM, Dave Wichers <<a href="mailto:dave.wichers@owasp.org" target="_blank">dave.wichers@owasp.org</a>> wrote:<o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hey everyone. Related to DDOS, (Today’s latest event is: </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><a href="http://www.bankinfosecurity.com/ddos-6-banks-hit-on-same-day-a-5607" target="_blank">http://www.bankinfosecurity.com/ddos-6-banks-hit-on-same-day-a-5607</a>), do we have any stats/metrics on how many DDOS attacks are at the application level vs. the network level?<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>The OWASP Top 10 is about Web Apps, not network security. And I know if they DDOS the server and take out the app, then it’s an app problem, but is there anything the APP itself can do about the most common DDOS attacks?<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>I’m trying to figure out, if we added DDOS to the Top 10, what advice we could provide to developers/app owners on how to mitigate this risk? And if all the advice is at the network level, because that’s the best / easiest place to defend against this, does that belong in a top 10 list for apps? Maybe/Maybe not.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>I’m trying to encourage discussion here. I’m not saying I don’t think it belongs in the Top 10. This is tricky/complex issue worth discussing.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>-Dave<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Barnett [mailto:<a href="mailto:ryan.barnett@owasp.org" target="_blank">ryan.barnett@owasp.org</a>] <br><b>Sent:</b> Wednesday, March 13, 2013 11:00 AM<br><b>To:</b> Dave Wichers<br><b>Cc:</b> Michael Coates; OWASP Leaders; OWASP TopTen</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><br><b>Subject:</b> Re: [Owasp-leaders] OWASP Top 10 Methodology<o:p></o:p></span></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>FYI - I have added links to sample attack reports to this page -<o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><a href="https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements" target="_blank">https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements</a><o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>-Ryan<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>On Tue, Mar 5, 2013 at 9:33 AM, Dave Wichers <<a href="mailto:dave.wichers@owasp.org" target="_blank">dave.wichers@owasp.org</a>> wrote:<o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks Ryan for taking the lead on this step of the methodology. I’m very interested in seeing what the various attack metric sources we can get our hands on say about the prevalence of different kinds of attacks.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>One comment about the prevalence factor in the Top 10 is that its definition is:</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The likelihood that an attacker would successfully attack the application given this vulnerability.  I could imagine some attack metrics only measure attempts to attack (like random DOSing, or random attempts at SQL injection/XSS) but don’t or can’t measure the number of actually successful attacks.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And I think the likelihood of success is pretty important. Take Reflected XSS for example. It’s pretty prevalent, it’s pretty easy to find, but it can be hard to successfully pull off.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Don’t get me wrong, I think knowing what attack attempts are actually occurring out there in the wild is great information to know. But I’m not sure if that data is an exact match to what we consider the likelihood of actual successful attack in the Top 10 as its defined today.</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Dave</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:owasp-leaders-bounces@lists.owasp.org" target="_blank">owasp-leaders-bounces@lists.owasp.org</a> [mailto:<a href="mailto:owasp-leaders-bounces@lists.owasp.org" target="_blank">owasp-leaders-bounces@lists.owasp.org</a>] <b>On Behalf Of </b>Ryan Barnett<br><b>Sent:</b> Tuesday, March 05, 2013 9:25 AM<br><b>To:</b> Michael Coates; OWASP Leaders; OWASP TopTen</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><br><b>Subject:</b> Re: [Owasp-leaders] OWASP Top 10 Methodology<o:p></o:p></span></p></div></div></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>With regards to "Additional data sources to be considered" Enhancement item – I am contacting various vendors that I listed to try and get access to web attack metrics.  I have heard back from both Akamai and Incapsula and they are willing to share so I will work with them.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>I will update the group when I have more info.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>-Ryan<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From: </span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Michael Coates <<a href="mailto:michael.coates@owasp.org" target="_blank">michael.coates@owasp.org</a>><br><b>Date: </b>Saturday, March 2, 2013 7:15 PM<br><b>To: </b>OWASP Leaders <<a href="mailto:owasp-leaders@lists.owasp.org" target="_blank">owasp-leaders@lists.owasp.org</a>>, OWASP TopTen <<a href="mailto:owasp-topten@lists.owasp.org" target="_blank">owasp-topten@lists.owasp.org</a>><br><b>Subject: </b>Re: [Owasp-leaders] OWASP Top 10 Methodology</span><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><div><div><div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Leaders,<o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>The OWASP Top 10 Methodology wiki page (as described in the below email) is now live - <a href="https://owasp.org/index.php/Top_10_2013/ProjectMethodology" target="_blank">https://owasp.org/index.php/Top_10_2013/ProjectMethodology</a><o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>As you'll see in the first line of the wiki - "The goal of this page is to provide the baseline of knowledge to begin a thoughtful conversation of enhancements and changes to continue growing the OWASP top 10."<o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Next Steps:<o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>- Have ideas on how we can enhance the methodology? Please add it here <a href="https://owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements" target="_blank">https://owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements</a><o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>- We'll then begin making changes based on these ideas<o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Overall Goal:<o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Increase participation, enhance methodology, and continue to grow the excellent OWASP top 10 resource <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Thanks for everyone's hard work so far on the Top 10 and all the good ideas that have been floating around. I'm confident we can all work together as a community to make this next top 10 awesome.  I look forward to continuing this conversation with everyone.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><br clear=all><o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><br>--<br>Michael Coates | OWASP | @_mwc<br><a href="http://michael-coates.blogspot.com" target="_blank">michael-coates.blogspot.com</a><o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>On Tue, Feb 26, 2013 at 12:05 PM, Michael Coates <<a href="mailto:michael.coates@owasp.org" target="_blank">michael.coates@owasp.org</a>> wrote:<o:p></o:p></span></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Leaders & Top 10 Enthusiasts,<o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Dave and I had a great conversation today about the Top 10 and some of the questions that have been posed by many in our owasp community.<br><br>We're going to build a wiki page that describes the overall project methodology of the owasp top 10, what's currently happening, suggestions for improvements, and an FAQ.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>The project has continually grown over the various releases and has successfully attracted more worldwide attention. As we've grown as an organization we've seen many new ways to further open the top 10 and invite greater participation.<br><br>This methodology wiki page will help clarify the activities to date and provide a feedback channel to continue growing.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>Please look for this page later this week. It would have been great for me to include the completed page with this email, but it will take a day or two and I wanted to send this info to the list now.<br><br><br><br>Thanks!<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><br clear=all><o:p></o:p></span></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><br>--<br>Michael Coates | OWASP | @_mwc<br><a href="http://michael-coates.blogspot.com" target="_blank">michael-coates.blogspot.com</a><o:p></o:p></span></p></div></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'>_______________________________________________ OWASP-Leaders mailing list <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a> <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a> <o:p></o:p></span></p></blockquote></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'><br>_______________________________________________<br>Owasp-topten mailing list<br><a href="mailto:Owasp-topten@lists.owasp.org" target="_blank">Owasp-topten@lists.owasp.org</a><br><a href="https://lists.owasp.org/mailman/listinfo/owasp-topten" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-topten</a><o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div></div></div></div></blockquote></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Calibri","sans-serif"'><br>_______________________________________________<br>OWASP-Leaders mailing list<br><a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><o:p></o:p></span></p></div></div></body></html>