[Owasp-topten] final release date for 2013 list?

Dave Wichers dave.wichers at owasp.org
Sun May 19 14:16:19 UTC 2013

If we were going to do something big for the Top 10 this year like this,
then volunteers should have emerged much sooner. For example, I've been
trying to work with the people who suggested we could use more metrics in
the Top 10, specifically the prevalence of attack metrics but they haven't
been able to get organized and produce anything since they suggested we do
something like this.

I'm getting to the point where I think we should release the Top 10 for 2013
as it has been produced every other year, and then if some group want to
form to study ways of improving it, getting more participation, come up with
concrete suggested changes, etc. that be started after this release and
maybe we can produce another release in 2014 rather than holding up this
release for several more months (my guess is that it would be more like 4-6
months) if we were to do this. I think people are concerned that we'd be
stuck with whatever this version says for 3 more years, but we don't have to
limit ourselves to that if we don't want to.

There was a lot of traffic when the draft release came out about what we
should be doing, but almost no one stepped up and offered to do anything
about it. There was talks about holding summits and having big meetings
about this, but I don't have time to organize such things and no one else
volunteered to do so either.

As to http://lists.owasp.org/pipermail/owasp-leaders/2013-March/009045.html
(edits to the Top 10), people have been sending me suggested edits and I
have been making them to the master. There have been very few such comments
by the way. Far less than in 2010 actually. So whether the edits going
through me, or can be done directly on the wiki, I don't think that's a
bottleneck or issue.


-----Original Message-----
From: Jim Manico [mailto:jim.manico at owasp.org] 
Sent: Friday, May 17, 2013 8:18 PM
To: Michael Coates
Cc: Dave Wichers; OWASP TopTen
Subject: Re: [Owasp-topten] final release date for 2013 list?

+1 Thank you for speaking up on this Michael. I think it's very sensible to
publish another draft version before we go live.

I'm also very concerned about this:

I personally would like to consider allowing the entire community to make
edits directly to the document per OWASP's open philosophy.

Dave, maybe we can split this and allow you to keep working on a "private"
version, but also encourage the community to work on an "open" version, and
compare the two after a few weeks and see which one will serve the community

- Jim

> Dave and all,
> Can you update us all on whether any of the methodology feedback has 
> been incorporated?
> https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggest
> ed_Enhancements
> Also, there was a hefty debate on what items where to be included 
> within the top 10 on the leaders list. I'd suggest another draft 
> release for comment based on the evaluation of that feedback. Please 
> correct me if I'm wrong, but my feeling is it may be premature to go
straight to release.
> Thanks,
> Michael
> --
> Michael Coates | OWASP | @_mwc
> On Fri, May 17, 2013 at 11:40 AM, Dave Wichers
<dave.wichers at owasp.org>wrote:
>> That's still my target.****
>> ** **
>> *From:* owasp-topten-bounces at lists.owasp.org [mailto:
>> owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Sean Larabee
>> *Sent:* Friday, May 17, 2013 1:45 PM
>> *To:* owasp-topten at lists.owasp.org
>> *Subject:* [Owasp-topten] final release date for 2013 list?****
>> ** **
>> Not expecting to see a sea change from the 2013 release candidate, 
>> but am still holding off on reworking some of my own documents until 
>> after the
>> 2013 list if officially out.  Is it still on track for a release by 
>> the end of May?****
>> ** **
>> Sean Larabee****
>> Senior Security Engineer****
>> Anitian Enterprise Security****
>> sean.larabee at anitian.com****
>> 503-726-2112****
>> ** **
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

More information about the Owasp-topten mailing list