[Owasp-topten] OWASP Top Ten Possible Changes (long)

Mark Curphey mark at curphey.com
Fri Aug 5 10:22:14 EDT 2005


No thoughts will be ignored. OWASP today is still the meritocracy it was
when I started it in 2000. The point (which I think I could have done a
better job of making in hindsight) is that I am personally swamped until
next week. 

I know from (bitter (careful choice of word) experience that the projects
that happen are those where one person Shepard's things to completion. Guide
2 is a good example of this. Well done Monsieur Van De Stock!  In order for
me to do this for the top ten (which is what I signed up to) I need to have
the time to process things and clear the decks for a full on assault. The
projects that never happen are those where there is generally no plan, lots
of diverse opinion (and mailing list action) and no leader.  

I am meeting with the Mitre folks next Monday to talk about there work in
taxonomies, Mike Howard and John Viega and some other people the week after
next. Please just bear with me so we can start on the right footing and
produce an excellent piece of work. 


-----Original Message-----
From: owasp-topten-admin at lists.sourceforge.net
[mailto:owasp-topten-admin at lists.sourceforge.net] On Behalf Of Chuck
Sent: Thursday, August 04, 2005 11:11 PM
To: owasp-topten at lists.sourceforge.net
Subject: Re: [Owasp-topten] OWASP Top Ten Possible Changes (long)

Mark, et al.

    I don't think that we are "jumping the gun" by discussing the issue.  I
don't want to speak for Achim, but I just wanted to throw my ideas out there
and see what people thought.  I acknowledge that the whoever decides the
next Top Ten may choose to ignore my thoughts, that is no problem.

   Specifically, I don't know if I like your idea of having several Top Ten
lists for different things.  I think that the Top Ten was valuable for
marketing because it was relatively small, covered the most common issues,
and the issues were relatively easy to understand.
 It was something that just about anyone could look at and go "Hrm, I wonder
if our application has this issue".  If you split it up into multiple lists
you lose some of the easy accessibility of the current Top Ten.  Maybe I am
in the minority, but I think that the Top Ten just needs a little tweaking,
not an overhaul.

   I can see your point about the Top Ten mixing some different types of
issues, but I think that could be fixed by rewording the issues.

   All that said, I'm not 100% sold on anything right now so I am interested
to see what you come up with.  I think the one thing that everyone agrees on
is that the Top Ten needs updating.  Have a good one!


On 7/30/05, Mark Curphey <mark at curphey.com> wrote:
> With all due respect this is jumping the gun. We need to do this 
> re-write systematically in order to avoid chaos. Please let me take 
> the two weeks I need to pull together the strawman.  If we just tackle 
> this by mailing list commentary, we will just end up with another 
> version of the T10 but not address the root causes of why it is not as 
> effective as it could be. Please bear with me for two weeks while I 
> pull the strawman together. It will be worth it ! I promise. If not 
> you can have at it on the lists ;-)

SF.Net email is Sponsored by the Better Software Conference & EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile &
Plan-Driven Development * Managing Projects & Teams * Testing & QA Security
* Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Owasp-topten mailing list
Owasp-topten at lists.sourceforge.net

More information about the Owasp-topten mailing list