[Owasp-topten] 2010 RC1 - Sources of Stats

robert at webappsec.org robert at webappsec.org
Mon Dec 28 13:00:17 EST 2009


You should consider factoring in stats from the WASC statistics project which gathers
real world vuln stats from hundreds of production websites.

http://projects.webappsec.org/Web-Application-Security-Statistics
http://projects.webappsec.org/f/WASS-SS-2008.pdf
http://projects.webappsec.org/f/wasc_wass_2007.pdf

Sergey would be the best contact for when the 2009 stats are going to be published.

Regards,
- Robert

> 
> The Aspect and Softek results are not public but are very large and useful
> sources of input. The MITRE data was sent to me by Steve Christie so I am
> not sure exactly where it came from. He could answer that.
> 
> Aspect would not be opposed to making our data public at some point but
> that takes some work and conversations with our clients that we have not
> done yet so that certainly won't happen anytime soon.
> 
> We did not sample bugtraq. I don't recall it being used before.
> 
> Dave
> 
> Christian Heinrich <christian.heinrich at owasp.org> wrote:
> 
> Jeff,
> 
> In relation to the the sources of statistics sampled for the OWASP Top
> Ten 2010 RC1:
> 
> I have been unable to locate the statistics provided by either Aspect
> Security or Softtek - are they publicly available and if not (publicly
> available) should they be considered in addition to statistics that
> are published publicly considering the "Open" in OWASP?
> 
> For the MITRE statistics, is the CWE Vulnerability Type Distributions
> the sample i.e. http://cwe.mitre.org/documents/vuln-trends/index.html)
> or do different statistics constitute their sample
> 
> Are statistics from BUGTRAQ still sampled (i.e. there is no mention in
> the RC) as it was sampled for prior releases of the OWASP Top Ten?
> 
> 
> --
> Regards,
> Christian Heinrich - http://sn.im/cmlh_linkedin_profile
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> Speaking Schedule at http://sn.im/cmlh_speaking_schedule
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
> 
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
> 



More information about the Owasp-topten mailing list