[Owasp-topten] Call to action: Coding Top 10 2009 & Testing Top 10 2009

Andrew van der Stock vanderaj at owasp.org
Thu May 8 11:01:33 EDT 2008

Hi folks

For next year, I'd like to create two Top 10's.

* OWASP Coding Top 10 2009
* OWASP Testing Top 10 2009

Project description.

When: Starts now


May 30: Planning is complete, methodology is chosen, and volunteers  
June 30: At least two chapters from each Top 10 is complete
July 30: At least three chapters complete
August 30: At least five chapters complete
September 30: At least eight chapters complete
October 30, 2008 for all text (intro, etc) and graphic elements to be  
November 30, 2008 for final text including all snippets. Peer review  
December 24, 2008 for PDFs, Wiki and Word versions in as many  
languages as we can manage

I think the methodology we used last time around works, but I will  
entertain thoughts on how to improve that. Let's do the research again  
using Mitre's CVE data to update the 2007 Top 10. I'd also like to see  
if MITRE wants to participate as they had a very interesting document  
going through the statistics and I think that would be an awesome  

The Coding Top 10 2009 will need way more work - we need to decide  
what things that folks should do to produce secure applications, and  
document them. The outline will be the same as what I have in mind for  
the OWASP Guide 3.0:

* Code control required (including code snippets for C#, PHP and Java  
that leverage ESAPI)
* Why this works (including code snippets that looks at how ESAPI does  
* How to spot this in your code
* What class of attacks it prevents (Testing Top 10 2009 links, demos,  
CVEs, and any newsworthy exploits)

In each Word/PDF version, there will be an TOC, intro, T1 - T10,  
references, Where to go from here, and index. THe Wiki will contain  
the TOC, Intro, T1-10, references, where to go from here, and instead  
of the index, the pages themselves will be heavily interlinked into  
our best advice for both coding and testing.

Each critical item should only be a page or two long and no more (i.e  
target 800 words per item). The language should target entry level  
developers and architects, and be readily understood by project  
managers and business folks so they can see the worth of doing these  
things right. If you think a diagram will help, I will get a  
professional graphic designer to assist us in creating good looking  
graphics that match all the other diagrams.

Project management.

This time around, I will not try to do so much of the writing. I would  
prefer to be the project manager.


If you know the difference between "which" and "that" or "affect" and  
"effect" and you use them properly, I would love to have you as the  
editor to ensure all produced text is of an even quality and has the  
same tense and no spelling mistakes. If no one can step up, I will do  

Tech Writers.

I think we will need

* 2x-5x for the OWASP Coding Top 10 2009
* 1x-2x for the OWASP Testing Top 10 2009


If you have provided a translation in the past, we will freeze the  
text in December and you can start translating at that point. Using  
tracking changes, we will be able to tell you if there are any updates  
from the peer review process, and if so where they are.

Graphic designer

This time around, I think we need more diagrams. If you have are a  
skilled graphic designer, please send me a sample of your work that  
concentrates on network diagrams or similar. If we can't find anyone  
here who is good at graphic design, OWASP has a decent sized budget  
these days, and I will ask the board for permission to get a  
professional graphic designer to help us with diagrams. But I would  
prefer a volunteer as folks here understand better than anyone how  
this stuff works.


Once we have done these two documents, I would like to space out our  
work a bit more by updating only one of these Top 10's each year. I  
think Testing should update first in 2010, then Coding in 2011. I  
think if we do our methodology right, Coding 2009 will be good advice  
for some time to come.


More information about the Owasp-topten mailing list