[Owasp-topten] Who Are the Initial Six Sampled?

Dave Wichers dave.wichers at owasp.org
Thu May 30 13:52:44 UTC 2013


The Top 10 project already had all the data before the data was made public.
They just sent it to the project privately and we analyzed all 6 vendors
data. After the release candidate was published, someone asked to make all
the data public which is a good idea and so I've gotten all the vendors to
make their data public (Aspect will publish our data too, we just haven't
gotten around to it yet)/ But rest assured we do have the data, and did when
we used it to help produce the Top 10, and we will make it public before the
final release comes out.


-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Christian
Sent: Wednesday, May 29, 2013 7:38 PM
To: Neil Smithline
Cc: OWASP TopTen
Subject: Re: [Owasp-topten] Who Are the Initial Six Sampled?


On Thu, May 30, 2013 at 12:40 AM, Neil Smithline <neil.smithline at owasp.org>
> I think that is a fine thought but not what the T10 claims to be. On 
> https://www.owasp.org/index.php/Top_10_2013-Note_About_Risks, it 
> states that it is focused on "risks" and that there is are subjective 
> components in risk evaluation.
> A change to a strict statistic-based approach would, IMO, be a step 
> backward. That said, I think it is a reasonable discussion to have had 
> before work has started on the T10. Not after it is all but shipped.

You are quoting me somewhat out of context.

There should be some sort of artefact produced by Aspect Security which
provides a ranking of the various vulnerabilities and weaknesses of the
initial six statistics sampled.

However, it is questionable that Aspect Security considered these based on:

1. Aspect Security cannot publish their statistics yet it was later revealed
that this dataset has never been created.

2. Both Minded Security and Trustwave were added *without* any resulting
adjustment or published revision of the Release Candidate.

If https://www.owasp.org/index.php/Top_10_2013-Note_About_Risks and this is,
as agreed, a subjective process then what is the purpose of the including
objective statistics if they are not considered?

Therefore, if the above assumptions are incorrect then Aspect Security
should be able to procedure an artifact, such as a spreadsheet that

1. An independent ranking from 1 to x (i.e. > 10) of the vulnerabilities and
weakness of the eight statistics sampled (HP are considered two due to the
dataset from WebInspect and Fortify).  For this to be independent Aspect
Security would have to remove their dataset (when finally published)
otherwise it is a conflict of interest.

2. The resulting Risk Assessment based on
https://www.owasp.org/index.php/Top_10_2013-Note_About_Risks and
https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology, which is a
conflict of interest because Aspect Security wrote these documents.

Until I can view the above, then I doubt that there was any discussion or
work undertaken by Aspect Security aside from how they could promote
Sonatype within the OWASP Top Ten.

Christian Heinrich

Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list