[Owasp-topten] Extension to Comment Period for 2010 RC1?
christian.heinrich at owasp.org
Fri Dec 18 19:47:01 EST 2009
My comment wasn't intended to be a reflection of MITRE but I can
understand the correlation due to the involvement with SANS with the
I read your FAQ when the Top 25 was first published and you may want
to consider the reintroduction of A6 Security Misconfiguration in
light of on issues such as buffer overflows, etc highlighted by the
My only advice in reproducing the Top 10 within the Top 25 would be to
consider the respective licensing of this OWASP Project.
I have some additional comment to some of the points you have raised
which I will express once I have completed my review of this Release
On Thu, Dec 17, 2009 at 4:53 AM, Steven M. Christey
<coley at linus.mitre.org> wrote:
> On Wed, 16 Dec 2009, Christian Heinrich wrote:
>> I would prefer that OWASP didn't venture down the path of competing for
>> media attention with SANS due our reputation within the greater appsec
>> community but if you consider the SANS Top 25 is a risk to the OWASP Top Ten
>> then it would be advantageous to publish the final at the next OWASP
>> Conference in 2010 as this would allow for a comparison with SANS Top 25.
> I'm the technical lead for the Top 25 and don't want these efforts to appear
> competitive in any fashion. I doubt we will get the attention that we got
> last year, but you never know. We included a FAQ question last year, but
> that requires people to actually read it...
> I'll bring up the issue to the Top 25 community.
>> Obviously, SANS could include the entries of the RC in their Top 25 as the
>> RC has already been published.
> I think this is a good idea and will pursue it as an appendix.
> - Steve
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule
More information about the Owasp-topten