[Owasp-topten] [Owasp-leaders] OWASP Top 10 Methodology

Dave Wichers dave.wichers at owasp.org
Wed May 22 13:45:41 UTC 2013

Each company that provided vulnerability data to the Top 10 2013 has also
now self-published their data (except Aspect and we will do so soon), and
links to this self-published data is included in the Acknowledgements
section on the wiki:




From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, May 22, 2013 7:14 AM
To: Jerry Hoff
Cc: OWASP Leaders; OWASP TopTen
Subject: Re: [Owasp-leaders] OWASP Top 10 Methodology


Seeing the data used to create the OWASP Top 10 would be useful for many

Devil is in the detail and such data may give rise to other models and
approaches to app sec.


On 3 March 2013 01:45, Jerry Hoff <jerry at owasp.org> wrote:

Hello all,


This is great - we now have a baseline on how the top 10 methodology.


I have a question about the raw data used in the Top 10 - is this going to
be made public as well? 


Ideally, we would have a published, vetted methodology and a repository of
raw data available to all.  Total transparency - in my opinion this is much
more empowering to organizations.  In the perfect scenario, organizations
could then see our methodology, tweak the assumptions and potentially
companies can come up with their own "top 10".   To me, the most important
thing is ensuring the methodology and data are available and that they
accurately reflect reality.


In my opinion, these are the next steps:

1. Make the data that fueled the Top 10 - 2013 publicly available

2. Allow time for review 

3. An open "virtual summit" over webex to hash out glaring problems 

4. Draft a revised methodology

5. Virtual Summit again (repeat until there is a consensus)

6. Opening publish the revised methodology

7. Use this methodology and recommendations to augment the Top 10 

8. Publish Final Document


These steps are based on conversations I had with Jeff Williams, Michael
Coates and Jim Manico. 


Does this plan seem reasonable?  Please voice your opinion OWASP leaders.




Jerry Hoff

jerry at owasp.org


On Mar 2, 2013, at 4:15 PM, Michael Coates <michael.coates at owasp.org> wrote:



The OWASP Top 10 Methodology wiki page (as described in the below email) is
now live - https://owasp.org/index.php/Top_10_2013/ProjectMethodology

As you'll see in the first line of the wiki - "The goal of this page is to
provide the baseline of knowledge to begin a thoughtful conversation of
enhancements and changes to continue growing the OWASP top 10."

Next Steps:

- Have ideas on how we can enhance the methodology? Please add it here

- We'll then begin making changes based on these ideas

Overall Goal:

Increase participation, enhance methodology, and continue to grow the
excellent OWASP top 10 resource 

Thanks for everyone's hard work so far on the Top 10 and all the good ideas
that have been floating around. I'm confident we can all work together as a
community to make this next top 10 awesome.  I look forward to continuing
this conversation with everyone.

Michael Coates | OWASP | @_mwc
michael-coates.blogspot.com <http://michael-coates.blogspot.com/> 


On Tue, Feb 26, 2013 at 12:05 PM, Michael Coates <michael.coates at owasp.org>

Leaders & Top 10 Enthusiasts,

Dave and I had a great conversation today about the Top 10 and some of the
questions that have been posed by many in our owasp community.

We're going to build a wiki page that describes the overall project
methodology of the owasp top 10, what's currently happening, suggestions for
improvements, and an FAQ.

The project has continually grown over the various releases and has
successfully attracted more worldwide attention. As we've grown as an
organization we've seen many new ways to further open the top 10 and invite
greater participation.

This methodology wiki page will help clarify the activities to date and
provide a feedback channel to continue growing.

Please look for this page later this week. It would have been great for me
to include the completed page with this email, but it will take a day or two
and I wanted to send this info to the list now.


Michael Coates | OWASP | @_mwc
michael-coates.blogspot.com <http://michael-coates.blogspot.com/> 


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

Eoin Keary
OWASP Member


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130522/74676ac8/attachment.html>

More information about the Owasp-topten mailing list