[Owasp-topten] Stats used to support Top 10 entries
dennis.groves at owasp.org
Wed Feb 27 15:52:48 UTC 2013
On 27 Feb 2013, at 15:29, Dave Wichers wrote:
Thanks for that Dave!
And definitely thank you for making OWASP so popular with this project.
I sincerely hope that Aspect benefits enormously from such an important
contribution to the world.
> The methodology for how the Top 10 risks are ranks is described
> towards the end of the Top 10 on the page titled, “Note About
> Risks”. Maybe a better title for that page would be, the OWASP Top
> 10 Risk Ranking Methodology, or something like that. The Top 10
> leverages the OWASP Risk Rating Methodology and uses 4 factors, 3 are
> likelihood factors, and 1 for consequence.
> The three likelihood factors are: Exploitability, Prevalence, and
This is more like a 'exploit popularity contest.' Not what I think of
when I think of the 'Top 10 Risks', but more like what I think of as
'Top 10 exploits.'
Risks are very subjective; what one company finds to be acceptable risk
is potentially game ending at another. They are also cultural. I am told
that Indians (as in India) 'eat risk for breakfast' while other cultures
would be very nervous indeed about even getting to work on Indian roads
- for example. (Apologies to everybody in Hyderabad) ;-)
In my humble opinion:
I don't want to see the top 10 exploits; nor the top 10 risks (after all
risks are subjective) I want to know the top 10 issues - that is the
***root causes*** (what will I be guaranteed to do wrong) that I need to
address as a business to reduce my subjective risks.
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a
*This email is licensed under a [CC BY-ND
**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free
> The idea that some lives matter less is the root of all that’s wrong
> with the world. -- Paul Farmer
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten