[Owasp-topten] OWASP Top Ten Possible Changes (long)

Chuck chuck.lists at gmail.com
Thu Aug 4 23:10:47 EDT 2005

Mark, et al.

    I don't think that we are "jumping the gun" by discussing the
issue.  I don't want to speak for Achim, but I just wanted to throw my
ideas out there and see what people thought.  I acknowledge that the
whoever decides the next Top Ten may choose to ignore my thoughts,
that is no problem.

   Specifically, I don't know if I like your idea of having several
Top Ten lists for different things.  I think that the Top Ten was
valuable for marketing because it was relatively small, covered the
most common issues, and the issues were relatively easy to understand.
 It was something that just about anyone could look at and go "Hrm, I
wonder if our application has this issue".  If you split it up into
multiple lists you lose some of the easy accessibility of the current
Top Ten.  Maybe I am in the minority, but I think that the Top Ten
just needs a little tweaking, not an overhaul.

   I can see your point about the Top Ten mixing some different types
of issues, but I think that could be fixed by rewording the issues.

   All that said, I'm not 100% sold on anything right now so I am
interested to see what you come up with.  I think the one thing that
everyone agrees on is that the Top Ten needs updating.  Have a good


On 7/30/05, Mark Curphey <mark at curphey.com> wrote:
> With all due respect this is jumping the gun. We need to do this re-write
> systematically in order to avoid chaos. Please let me take the two weeks I
> need to pull together the strawman.  If we just tackle this by mailing list
> commentary, we will just end up with another version of the T10 but not
> address the root causes of why it is not as effective as it could be. Please
> bear with me for two weeks while I pull the strawman together. It will be
> worth it ! I promise. If not you can have at it on the lists ;-)

More information about the Owasp-topten mailing list