[Owasp-topten] Who Are the Initial Six Sampled?

Neil Smithline neil.smithline at owasp.org
Wed May 29 14:40:39 UTC 2013


Christian,

You say:

> The OWASP Top Ten should be an independent scientific validation of
> the commercial statistics sampled but you are yet to produce this
> artifact, including the adjustment of new dataset post the publication
> of the Release Candidate.


I think that is a fine thought but not what the T10 claims to be. On
https://www.owasp.org/index.php/Top_10_2013-Note_About_Risks, it states
that it is focused on "risks" and that there is are subjective components
in risk evaluation.

A change to a strict statistic-based approach would, IMO, be a step
backward. That said, I think it is a reasonable discussion to have had
before work has started on the T10. Not after it is all but shipped.

I understand that you feel that the T10 RC creation was too closed a
process. I too would prefer earlier access to the contents of the T10. I
believe that point has been made to and understood by Dave. He's said he's
open for discussion going forward.

But for the 2013 T10, neither the process nor the format and contents of
the T10 should have been a surprise. They are identical to the 2010 T10. As
such, I think that the time to propose significant changes to the T10
should have occurred over the past 3 years, not now.

I think that now is the perfect time to begin discussions of the 2013 T10's
contents and process with an eye towards creating a 2014 or 2015 T10. For
the 2013 T10, your arguments for making significant changes to it makes me
think that you underestimate the amount of work that goes into creating a
T10.

The starting point for significant changes in future T10s likely begins
with creating a working group that defines the goals, schedule, and process
for creating the next T10. That should then be publicly reviewed, modified
appropriately, voted on by the board, etc... IMO, this will take a minimum
of 6 months.

At least for me, waiting that long is unacceptable. The current T10 should
ship and we should move forward from there.

Just my 2 cents (OK, maybe 200 cents),

Neil


On Tue, May 28, 2013 at 9:24 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Dave,
>
> As RandomStorm are yet to publish the URL then your claim that their
> statistics are not scientific is hearsay.
>
> Ryan has also explained the scientific sampling behind WHID within
> http://lists.owasp.org/pipermail/owasp-topten/2013-March/000992.html
>
> None of the statistics that are listed on
> https://www.owasp.org/index.php/Top_10_2013-Introduction are
> scientific since their intent is to promote the businesses providing
> them.
>
> The OWASP Top Ten should be an independent scientific validation of
> the commercial statistics sampled but you are yet to produce this
> artifact, including the adjustment of new dataset post the publication
> of the Release Candidate.  This is further doubtful in light of the
> fact that Aspect Security have based the Top Ten on their "opinion"
> rather than fact since Aspect Security have not published their
> statistics since they do not exist.
>
> Of note, Veracode have correlated their statistics to the OWASP Top
> Ten 2010 release and this should be scientific (I haven't checked)
> based on
> https://www.owasp.org/index.php/Quote-Veracode_Provides_Visibility_into_Their_Verification_Process_for_the_OWASP_Top_10
>
> On Wed, May 29, 2013 at 12:23 AM, Dave Wichers <dave.wichers at owasp.org>
> wrote:
> > I've asked those that suggested we use this to assist the Top 10 be based
> > more on data rather than opinion to pull some concrete suggestions/data
> > together, but they have not come up with anything yet.
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130529/b3a95c6e/attachment.html>


More information about the Owasp-topten mailing list