[Owasp-topten] Stats used to support Top 10 entries

Michael Coates michael.coates at owasp.org
Tue Feb 26 19:17:24 UTC 2013


I'd like to revisit this thread. I'd argue that doing it right is better
than doing it fast.


Is there a way to publish aggregate data? A black box approach is not
consistent with the way we do things - and even if done in the best
possible way, it is tough to defend since people just have to take
someone's word.




--
Michael Coates | OWASP | @_mwc
michael-coates.blogspot.com


On Wed, Jan 30, 2013 at 2:23 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> I don't think it is too late to introduce them. We can do it after you
> release the first draft.
>
> I've written why at Stats used to support OWASP Top 10 entries (next
> version must publish them)<http://blog.diniscruz.com/2013/01/stats-used-to-support-owasp-top-10.html>
>
> Also relevant to this issue is: Why NDAs have no place at OWASP<http://blog.diniscruz.com/2013/01/why-ndas-have-no-place-at-owasp.html>
>
>
> Dinis Cruz
>
> On 28 January 2013 21:01, Dave Wichers <dave.wichers at owasp.org> wrote:
>
>> Given that I intend to publish the release candidate in 1 week, I simply
>> don’t think we have the time to introduce this at this point.  I really
>> wanted the draft out 1 month ago, but didn’t  get it done earlier.****
>>
>> ** **
>>
>> -Dave****
>>
>> ** **
>>
>> *From:* Dinis Cruz [mailto:dinis.cruz at owasp.org]
>> *Sent:* Monday, January 28, 2013 7:19 AM
>> *To:* Dave Wichers
>> *Cc:* OWASP TopTen
>> *Subject:* Re: [Owasp-topten] Stats used to support Top 10 entries****
>>
>> ** **
>>
>> Well, that is not really usable right? :)  (there are only 4 links on
>> https://www.owasp.org/index.php/Top_10_2010 and there is not much
>> consumable data in there)****
>>
>> ** **
>>
>> I understand how in the past it made sense to have such arrangement, but
>> for the next version (OWASP Top 10 2013) can we have it so that all data
>> used is published? And per-reviewed?****
>>
>> ** **
>>
>> Thanks
>> ****
>>
>>
>> Dinis Cruz****
>>
>> ** **
>>
>> On 28 January 2013 00:25, Dave Wichers <dave.wichers at owasp.org> wrote:***
>> *
>>
>> The data is NOT published by OWASP because it was provided to OWASP with
>> the understanding that we wouldn't republish it. That said, many of the
>> data providers have already published their data, like White Hat and
>> Veracode for example (and MITRE in the past), so people can go get the data
>> directly from those providers. But not all data providers have made their
>> data public.****
>>
>>  ****
>>
>> And we clearly list who the data providers are in the Top 10 itself.****
>>
>>  ****
>>
>> -Dave****
>>
>>  ****
>>
>> *From:* owasp-topten-bounces at lists.owasp.org [mailto:
>> owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Dinis Cruz
>> *Sent:* Sunday, January 27, 2013 4:32 AM
>> *To:* OWASP TopTen
>> *Subject:* [Owasp-topten] Stats used to support Top 10 entries****
>>
>>  ****
>>
>> I got a question about the stats, data and sample size used to backup
>> the choice of the Top 10 entries.****
>>
>>  ****
>>
>> Since I couldn't find that info on the
>> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project page, I
>> am asking it here :)****
>>
>>  ****
>>
>> So, where can I get it from? (I know it exists, since I remember the
>> threads)****
>>
>>  ****
>>
>> Thanks
>> ****
>>
>>
>> Dinis Cruz****
>>
>> ** **
>>
>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130226/50b0d1f1/attachment.html>


More information about the Owasp-topten mailing list