[Owasp-topten] RFI taken out

Steven M. Christey coley at linus.mitre.org
Tue Nov 17 19:24:24 EST 2009


On Tue, 17 Nov 2009, Dave Wichers wrote:

> I think there is significant danger in jamming too much into a single
> category. Again, the Top 10 is not intended to contain every issue
> people can run into. Its intended to emphasize the 10 issues that
> introduce the most risk and there will always be other significant risks
> that people have to deal with that didn't make the top 10.
>
> I guess we could go to a Top 25 list, like SANS, but I don't even want
> to go there ...  I think for Web Apps a Top 25 list would be so long as
> to be exhausting and dilute the focus that a list of only 10 items
> provides.

We didn't do a good job of emphasizing this in the CWE/SANS Top 25, but we
have a separate document of "On the Cusp" weaknesses that didn't make it
to the Top 25, but should be notable to some users.  I don't have an
opinion as to whether the OWASP Top Ten would want to have a companion
document.

- Steve


More information about the Owasp-topten mailing list