[Owasp-topten] Thoughts on OWASP Top 10 2009 - Round 1

Dave Wichers dave.wichers at aspectsecurity.com
Wed Mar 18 18:29:15 EDT 2009

Thanks for your thoughtful comments.

Regarding all the various factors, I totally agree. Some will affect
inclusion in top 10, while others are useful for prioritization. I
thought about that already.

Regarding your last question. I think splitting the doc into a short
awareness doc, and a longer technical report will help. The short doc
serves more as the 'standard'/awareness doc, while the long doc has
enough meat to be educational to developers on the detailed risks for
each item, the techniques for finding such flaws, techniques for
avoiding such flaws, etc.

That's what I'm thinking anyway about one benefit of the proposed split.


-----Original Message-----
From: Steven M. Christey [mailto:coley at linus.mitre.org] 
Sent: Wednesday, March 18, 2009 6:06 PM
To: Dave Wichers
Cc: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] Thoughts on OWASP Top 10 2009 - Round 1

On Wed, 18 Mar 2009, Dave Wichers wrote:

> c)       Ease of exploit (OWASP Term)/attack frequency (Used by MITRE
> Top 25 programming flaws) (Do these correlate or are they
> different?)

Actually, for deciding membership on the Top 25, we used an informal
combination of prevalence within code, along with severity (what I think
you're calling impact).  Factors such as ease-of-exploit and awareness
were originally considered, but they didn't directly factor into the
decision to include an item on the list. They are listed as decision
to people reading the Top 25, so they can prioritize what to tackle

Note that severity can change depending on context, and prevalence
aren't easily available (especially in the lower-level CWE "weakness"

The eventual definition of a "skilled and determined" threat agent,
with vague notions of risk tolerance, definitely affected membership in
the Top 25.  While I believe that approach was useful, I would have
preferred more extensive vetting.  Also, if you pick one then you're
to limit the applicability to audiences who don't have that particular
threat/risk model.

By the way - I strongly believe that ease-of-exploit and attack
are correlated, at least based on what I see in CVE and its rough
alignment with publicized attacks.  However, with an advanced adversary,
the correlation may be less (since ease-of-exploit may also be
with ease-of-detection).

> CSRF wasn't very well known when we released it into the Top 10 in
> but it's certainly much more well known now.

As one data point - while the 2008 CVE trend data isn't final, CSRF is
somewhere around #11.

A broader question - any idea on how (or if it's even possible) to
scope the Top 10 as a document for education instead of standardization?
(We're starting to see this with the Top 25, too.)

- Steve

More information about the Owasp-topten mailing list