[Owasp-topten] Stats used to support Top 10 entries

Dennis Groves dennis.groves at owasp.org
Wed Feb 27 15:52:48 UTC 2013


On 27 Feb 2013, at 15:29, Dave Wichers wrote:

Thanks for that Dave!

And definitely thank you for making OWASP so popular with this project. 
I sincerely hope that Aspect benefits enormously from such an important 
contribution to the world.

> The methodology for how the Top 10 risks are ranks is described 
> towards the end of the Top 10 on the page titled, “Note About 
> Risks”. Maybe a better title for that page would be, the OWASP Top 
> 10 Risk Ranking Methodology, or something like that. The Top 10 
> leverages the OWASP Risk Rating Methodology and uses 4 factors, 3 are 
> likelihood factors, and 1 for consequence.
>
> The three likelihood factors are: Exploitability, Prevalence, and 
> Detectability.

This is more like a 'exploit popularity contest.' Not what I think of 
when I think of the 'Top 10 Risks', but more like what I think of as 
'Top 10 exploits.'

Risks are very subjective; what one company finds to be acceptable risk 
is potentially game ending at another. They are also cultural. I am told 
that Indians (as in India) 'eat risk for breakfast' while other cultures 
would be very nervous indeed about even getting to work on Indian roads 
- for example. (Apologies to everybody in Hyderabad) ;-)

In my humble opinion:

I don't want to see the top 10 exploits; nor the top 10 risks (after all 
risks are subjective) I want to know the top 10 issues - that is the 
***root causes*** (what will I be guaranteed to do wrong) that I need to 
address as a business to reduce my subjective risks.



Dennis

-- 
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 
meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 
software](http://www.fsf.org/campaigns/secure-boot/statement).

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130227/85b2a5b1/attachment-0001.html>


More information about the Owasp-topten mailing list