[Owasp-topten] Who Are the Initial Six Sampled?

Christian Heinrich christian.heinrich at cmlh.id.au
Wed May 29 01:24:46 UTC 2013


Dave,

As RandomStorm are yet to publish the URL then your claim that their
statistics are not scientific is hearsay.

Ryan has also explained the scientific sampling behind WHID within
http://lists.owasp.org/pipermail/owasp-topten/2013-March/000992.html

None of the statistics that are listed on
https://www.owasp.org/index.php/Top_10_2013-Introduction are
scientific since their intent is to promote the businesses providing
them.

The OWASP Top Ten should be an independent scientific validation of
the commercial statistics sampled but you are yet to produce this
artifact, including the adjustment of new dataset post the publication
of the Release Candidate.  This is further doubtful in light of the
fact that Aspect Security have based the Top Ten on their "opinion"
rather than fact since Aspect Security have not published their
statistics since they do not exist.

Of note, Veracode have correlated their statistics to the OWASP Top
Ten 2010 release and this should be scientific (I haven't checked)
based on https://www.owasp.org/index.php/Quote-Veracode_Provides_Visibility_into_Their_Verification_Process_for_the_OWASP_Top_10

On Wed, May 29, 2013 at 12:23 AM, Dave Wichers <dave.wichers at owasp.org> wrote:
> I've asked those that suggested we use this to assist the Top 10 be based
> more on data rather than opinion to pull some concrete suggestions/data
> together, but they have not come up with anything yet.

-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-topten mailing list