[Owasp-topten] Who Are the Initial Six Sampled?

Christian Heinrich christian.heinrich at cmlh.id.au
Wed May 29 23:38:02 UTC 2013


On Thu, May 30, 2013 at 12:40 AM, Neil Smithline
<neil.smithline at owasp.org> wrote:
> I think that is a fine thought but not what the T10 claims to be. On
> https://www.owasp.org/index.php/Top_10_2013-Note_About_Risks, it states that
> it is focused on "risks" and that there is are subjective components in risk
> evaluation.
> A change to a strict statistic-based approach would, IMO, be a step
> backward. That said, I think it is a reasonable discussion to have had
> before work has started on the T10. Not after it is all but shipped.

You are quoting me somewhat out of context.

There should be some sort of artefact produced by Aspect Security
which provides a ranking of the various vulnerabilities and weaknesses
of the initial six statistics sampled.

However, it is questionable that Aspect Security considered these based on:

1. Aspect Security cannot publish their statistics yet it was later
revealed that this dataset has never been created.

2. Both Minded Security and Trustwave were added *without* any
resulting adjustment or published revision of the Release Candidate.

If https://www.owasp.org/index.php/Top_10_2013-Note_About_Risks and
this is, as agreed, a subjective process then what is the purpose of
the including objective statistics if they are not considered?

Therefore, if the above assumptions are incorrect then Aspect Security
should be able to procedure an artifact, such as a spreadsheet that

1. An independent ranking from 1 to x (i.e. > 10) of the
vulnerabilities and weakness of the eight statistics sampled (HP are
considered two due to the dataset from WebInspect and Fortify).  For
this to be independent Aspect Security would have to remove their
dataset (when finally published) otherwise it is a conflict of

2. The resulting Risk Assessment based on
https://www.owasp.org/index.php/Top_10_2013-Note_About_Risks and
https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology, which
is a conflict of interest because Aspect Security wrote these

Until I can view the above, then I doubt that there was any discussion
or work undertaken by Aspect Security aside from how they could
promote Sonatype within the OWASP Top Ten.

Christian Heinrich


More information about the Owasp-topten mailing list