[Owasp-topten] 2010 RC1 - Sources of Stats

Christian Heinrich christian.heinrich at owasp.org
Mon Dec 28 18:20:55 EST 2009


>From what period where the Aspect and Softek sampled? e.g. since the
2003 Release (cumulative) or the period between the 2007 and 2010 RC.

It would be great benefit to a statistician if the other contributors
could include some commentary on the above and other items such as the
interpretation of their statistics which could be published as a
separate appendix (document) to ensure that the size (i.e. pages) is
kept to a minimum in terms of the main document (consisting of the
OWASP Top Ten).

Could the final release be amended to include a statement along the
lines of "while the Aspect and Softek statistics are not available to
the public in time of publication, they will be made available at
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project once
identifying data has been removed" as an example?

I believe Andrew ver der Stock sampled BUGTRAQ but I may be incorrect
due to my *brief* reading of the mailing list archives.

On Tue, Dec 29, 2009 at 3:18 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:
> The Aspect and Softek results are not public but are very large and useful
> sources of input. The MITRE data was sent to me by Steve Christie so I am
> not sure exactly where it came from. He could answer that.
> Aspect would not be opposed to making our data public at some point but
> that takes some work and conversations with our clients that we have not
> done yet so that certainly won't happen anytime soon.
> We did not sample bugtraq. I don't recall it being used before.
> Dave

Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule

More information about the Owasp-topten mailing list