[Owasp-topten] Who Are the Initial Six Sampled?

Dave Wichers dave.wichers at owasp.org
Tue May 28 14:21:50 UTC 2013


Stats from all 6 providers were considered for the T10 release candidate.
After it was released, because someone suggested it would be better that the
data was public which we agreed was a good idea, we worked with the
providers to get them to be made public but we had already had the stats.
(Aspect is still working on getting ours public. All the rest are public
now).

-Dave

p.s. I also got a public link for the WhiteHat stats so I'll update that
soon so you don't have to register to get access to those.

-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au] 
Sent: Saturday, May 25, 2013 5:40 AM
To: Dave Wichers
Cc: owasp-topten at lists.owasp.org
Subject: Re: Who Are the Initial Six Sampled?

Dave,

Is there a reason why the Release Candidate was *not* reissued due the
inclusion of the statistics from Trustwave and Minded Security since this
would have expanded the sample by a factor of third then?

Is there an artifact dated between the 28 January until 14 February that
indicates that you at least took more than a cursory look at the statistics
from Trustwave and Minded Security since
https://www.owasp.org/index.php?title=Top_10_2013-Introduction&action=histor
y
appears that these statistics were added to the list without any
consideration?

Also what was the outcome of the
http://lists.owasp.org/pipermail/owasp-topten/2013-January/000816.html,
did RandomStorm decide not provide their statistics in the end?

On Fri, May 24, 2013 at 11:58 PM, Dave Wichers <dave.wichers at owasp.org>
wrote:
> That is correct.
>
> -----Original Message-----
> From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au]
> Sent: Friday, May 24, 2013 12:42 AM
> To: Dave Wichers
> Cc: owasp-topten at lists.owasp.org
> Subject: Who Are the Initial Six Sampled?
>
> Dave,
>
> On Tue, Jan 29, 2013 at 7:58 AM, Dave Wichers <dave.wichers at owasp.org>
> wrote:
>> So, I expanded from 4 sources of input to 7, but one of those dropped 
>> out (MITRE as they said they wouldn't have good stats to provide) so 
>> then it was 6. And HP is really two of the providers as they provided 
>> WebInspect results, and separately Fortify results. So results for 
>> two very different tools, but only 1 vendor.
>
> From sampling https://www.owasp.org/index.php/Top_10_2010-Introduction
> and based on the statement above from
> http://lists.owasp.org/pipermail/owasp-topten/2013-January/000828.html
> I will assume that on 29 Jan that the six sources chosen were:
>
> 1. Aspect
> 2  HP (Fortify) i.e.
> http://lists.owasp.org/pipermail/owasp-topten/2013-January/000828.html
> 3. HP (WebInspect) i.e.
> http://lists.owasp.org/pipermail/owasp-topten/2013-January/000828.html
> 4. Softtek i.e. 
> https://www.owasp.org/index.php/Top_10_2010-Introduction
> 5. Veracode i.e.
> http://lists.owasp.org/pipermail/owasp-topten/2013-January/000813.html
> 6. Whitehat i.e.
> http://lists.owasp.org/pipermail/owasp-topten/2013-January/000813.html
>
> Can you please let me know if this is correct or where I am wrong?
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>



--
Regards,
Christian Heinrich

http://cmlh.id.au/contact



More information about the Owasp-topten mailing list