[Owasp-topten] 2010 RC1 - Sources of Stats

Dave Wichers dave.wichers at aspectsecurity.com
Mon Dec 28 11:18:53 EST 2009

The Aspect and Softek results are not public but are very large and useful
sources of input. The MITRE data was sent to me by Steve Christie so I am
not sure exactly where it came from. He could answer that.

Aspect would not be opposed to making our data public at some point but
that takes some work and conversations with our clients that we have not
done yet so that certainly won't happen anytime soon.

We did not sample bugtraq. I don't recall it being used before.


Christian Heinrich <christian.heinrich at owasp.org> wrote:


In relation to the the sources of statistics sampled for the OWASP Top
Ten 2010 RC1:

I have been unable to locate the statistics provided by either Aspect
Security or Softtek - are they publicly available and if not (publicly
available) should they be considered in addition to statistics that
are published publicly considering the "Open" in OWASP?

For the MITRE statistics, is the CWE Vulnerability Type Distributions
the sample i.e. http://cwe.mitre.org/documents/vuln-trends/index.html)
or do different statistics constitute their sample

Are statistics from BUGTRAQ still sampled (i.e. there is no mention in
the RC) as it was sampled for prior releases of the OWASP Top Ten?

Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule
Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list