[Owasp-topten] Who Are the Initial Six Sampled?

Neil Smithline neil.smithline at owasp.org
Thu May 30 00:51:53 UTC 2013

First, I apologize for taking your statements out of context. That was not
my intent.

I believe you are implying that objective statistics aren't of use when
used in combination with subjective viewpoints. I disagree. Regarding the
T10, I view subjective opinions as being an adjunct to the objective stats.
It sounds like we have two different views of the right combination of
subjective and objective input to the T10. That's fine. We can have
different opinions.

I disagree with your statement that the T10 had to change with the addition
of new data sets. This disagreement seems natural as I seem to be more
accepting of the subjective input than you. In general, I think that we
could find many details where my being more forgiving about the exact
numbers than you leads to a difference of opinion. This seems unavoidable
given our different viewpoints.

Also, and here is where a lot of subjective input comes into play, the T10
is not supposed to be a post mortem of what has plagued web security for
the past N years. Rather, it is supposed to be a guide to app sec for the
next N years. In anticipation of your question, I know that nobody has a
crystal ball. The T10 is just best guess or, if you prefer, subjective.

I think that Mass Assignment vulnerabilities are a good example for adding
subjective to the objective. I imagine (and I've not looked at stats - this
is just an example) that there have been many large breaches due to Mass
Assignment vulnerabilities in the past year or so. That said, IMO, the Mass
Assignment stats are irrelevant to the future and Mass Assignment should
not be in the T10.

As the Mass Assignment vulnerabilities were typically in large frameworks
that have addressed the issues, Mass Assignment is uninteresting because it
is yesterday's news and not tomorrow's. You may disagree. That's fine.

If you disagree enough, perhaps you'd like to start a new project that is a
post mortem of the 10 most problematic web app sec issues for the past N
years based 100% on objective stats. It is easy to start new
OWASP's open model. Even I've started a new project. Alas, it seems
starting a project is much simpler than making forward progress on it :-(

Thanks for talking this out Christian. At least for me, this discussion has
helped me clarify my thoughts. I hope it did the same for you.


On Wed, May 29, 2013 at 7:38 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Neil,
> On Thu, May 30, 2013 at 12:40 AM, Neil Smithline
> <neil.smithline at owasp.org> wrote:
> > I think that is a fine thought but not what the T10 claims to be. On
> > https://www.owasp.org/index.php/Top_10_2013-Note_About_Risks, it states
> that
> > it is focused on "risks" and that there is are subjective components in
> risk
> > evaluation.
> >
> > A change to a strict statistic-based approach would, IMO, be a step
> > backward. That said, I think it is a reasonable discussion to have had
> > before work has started on the T10. Not after it is all but shipped.
> You are quoting me somewhat out of context.
> There should be some sort of artefact produced by Aspect Security
> which provides a ranking of the various vulnerabilities and weaknesses
> of the initial six statistics sampled.
> However, it is questionable that Aspect Security considered these based on:
> 1. Aspect Security cannot publish their statistics yet it was later
> revealed that this dataset has never been created.
> 2. Both Minded Security and Trustwave were added *without* any
> resulting adjustment or published revision of the Release Candidate.
> If https://www.owasp.org/index.php/Top_10_2013-Note_About_Risks and
> this is, as agreed, a subjective process then what is the purpose of
> the including objective statistics if they are not considered?
> Therefore, if the above assumptions are incorrect then Aspect Security
> should be able to procedure an artifact, such as a spreadsheet that
> has:
> 1. An independent ranking from 1 to x (i.e. > 10) of the
> vulnerabilities and weakness of the eight statistics sampled (HP are
> considered two due to the dataset from WebInspect and Fortify).  For
> this to be independent Aspect Security would have to remove their
> dataset (when finally published) otherwise it is a conflict of
> interest.
> 2. The resulting Risk Assessment based on
> https://www.owasp.org/index.php/Top_10_2013-Note_About_Risks and
> https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology, which
> is a conflict of interest because Aspect Security wrote these
> documents.
> Until I can view the above, then I doubt that there was any discussion
> or work undertaken by Aspect Security aside from how they could
> promote Sonatype within the OWASP Top Ten.
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130529/83ed6d0f/attachment-0001.html>

More information about the Owasp-topten mailing list