[Owasp-topten] Who Are the Initial Six Sampled?

Neil Smithline neil.smithline at owasp.org
Tue Jun 4 13:45:10 UTC 2013

IMO, that sounds like the most effective means of having your concerns
addressed. It's a shame about the time zone thing but no time is good for

Thanks again for taking the time to communicate your thoughts. It's been
nice working with you.


On Tue, Jun 4, 2013 at 3:23 AM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Neil,
> I didn't state to transfer ownership of the Top Ten from OWASP to
> MITRE, rather that the Project Leadership be transitioned from Aspect
> Security to MITRE i.e. OWASP would retain ownership.
> I have had several positive dealing (as an Australian) with (the US
> based) MITRE in the past, including
> http://cwe.mitre.org/top25/contributors.html hence the recommendation
> which MITRE might decline the nomination btw.
> For the record, I was also critical of SANS/MITRE within
> http://lists.owasp.org/pipermail/owasp-topten/2009-December/000540.html
> due to
> http://www.tssci-security.com/archives/2009/01/16/sans-top-25-procurement-language-and-the-owasp-secure-software-contract-annex/
> and I commend how Steve promptly addressed this criticism with
> accountability on behalf of SANS/MITRE.
> I believe that if either Michael Coates and Jim Manico considered my
> recent contribution as "ad hominem" then it would have been
> disregarded as hearsay (which was clarified within
> http://lists.owasp.org/pipermail/owasp-topten/2013-May/001016.html and
> http://lists.owasp.org/pipermail/owasp-topten/2013-May/001018.html).
> Of note, both of these gentlemen are former employees of Aspect
> Security too.
> I will attempt (time permitting) to publish a "Terms of References"
> for the OWASP Board conference call but  I hadn't plan to participate
> due to the timezone difference. However, I will if needed to ensure
> that the conference call is accountable and transparent and that
> Aspect Security have been treated fairly.
> On Tue, Jun 4, 2013 at 2:10 PM, Neil Smithline <neil.smithline at owasp.org>
> wrote:
> > First, thanks for the clear and concise answer Christian. I appreciate
> you
> > taking the time to explaining your thoughts.
> >
> > I have a few comments:
> >
> > A T10 takes a long time to produce from scratch. We simply can't get
> another
> > out in 2013. We either go with minor tweaks to the RC or give up on it
> for
> > the year. i don't say this to be argumentative. It is just facts.
> Consider
> > this year's T10. Assuming that it was started in December, it has taken 7
> > months and still not released.
> >
> > I believe that MITRE, especially Steve Christy, is heavily involved in
> the
> > OWASP T10. I understand that that is not the same thing as running it
> but, I
> > am sure, that Steve has been working with Jeff and Dave from the very
> > beginning; long before the RC came out. While this doesn't guarantee 100%
> > agnosticism, it does help.
> >
> > I see no reason to believe that MITRE or any other organization is going
> to
> > be 100% agnostic. Organizations are made up of people and people are
> always
> > biased. Always. Different people will be biased differently, but that
> > doesn't mean the T10 will be better.
> >
> > I believe, make that I passionately believe that the world is a better
> place
> > with OWASP in it than not. Moving the T10 from OWASP to another
> organization
> > would terribly hurt OWASP's brand and effectiveness in the future. So,
> > _even_ if the T10 is biased by Aspect and _even_ if another organization
> > could do a better job, I still think that the T10 should remain under
> > OWASP's purview.
> >
> > Long before I'd move the T10 elsewhere I would look to change it's
> > production. Perhaps someone from MITRE should head the T10 development?
> > Perhaps there should be writing and approval by committee as you propose?
> > Perhaps just more openness and better statistic publishing? The only
> thing
> > that I'm confident in is that it would be terrible for OWASP to lose the
> > T10. I don't want that to happen.
> >
> > The fate of the current T10 RC will be discussed in the next board
> meeting.
> > If I was a voting board member, I would vote for shipping what exists. I
> > think that it is time for a new T10. If for no other reason than to have
> > something shiny and new that will help enterprises focus on web app sec
> with
> > renewed vigor. I understand that you may feel differently.
> >
> > I find it ironic that you have a forum to express your thoughts that the
> > process is closed, nobody's taking any input, you feel excluded, etc...
> when
> > the very fact that you have been allowed to voice your opinions so
> strongly
> > and that you have been engaged on numerous occasions by people in this
> list
> > as well as the project leaders from Aspect, seems to contradict your
> > statement that it is a closed process.
> >
> > It has already been stated that a new process can be examined for future
> > T10's, a complementary document to the T10 can be created, and that a
> 2014
> > T10 can be published. The only option that you seem content with is to
> shut
> > down this T10. You're entitled to your opinion and, to the best of my
> > understanding, you're even entitled to voice it at the upcoming board
> > meeting. IMO, this is anything but a closed process.
> >
> > I'll conclude by saying that, to the best of my recollection, Jeff and
> Dave
> > have treated you with nothing but respect. On the other hand, you have
> > repeatedly called them self-serving liars who are unwilling to take input
> > and are trying to subvert the OWASP T10 for their personal financial
> gain.
> >
> > I'm sure the reason why Jeff and Dave haven't pointed out how rudely
> you've
> > been treating them is because they want the process to be open. Me, not
> > being in a leadership position, feel quite comfortable telling you that I
> > think your treatment of them has been abhorrent.
> >
> > Disagreeing is one thing but the nasty insinuations that you have made is
> > something quite different.
> >
> > And still, Jeff and Dave will let you attend the board meeting. What does
> > that tell us....
> >
> > Neil
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130604/2aba0c90/attachment.html>

More information about the Owasp-topten mailing list