[Owasp-topten] [Owasp-leaders] OWASP Top Ten: Project Activity?

Eoin Keary eoin.keary at owasp.org
Tue Jul 7 23:16:46 UTC 2015


Hi Neil,

The thread is over a massive 40kb!! So my response is bouncing. The list admin, David, could increase it to a decent size if he wished. It's very simple to do as I have admin in a number of lists myself.....anyways is was saying:.....:including framework CVE into the t10 would shake things up again after all frameworks are code too, and also prone to developer error on the part of the framework developers.

I'd explain more but every byte counts like we're in the 80's




Eoin Keary
OWASP Volunteer
@eoinkeary



> On 6 Jul 2015, at 22:57, Neil Smithline <neil.smithline at owasp.org> wrote:
> 
> >> Is the OWASP t10 myopic or should it cover overall AppSec risk? 
> I guess I don't quite understand the two options. Can you define "myopic" and "overall appsec risk" for me?
> 
>> On Fri, Jul 3, 2015 at 2:05 PM Eoin Keary <eoin.keary at owasp.org> wrote:
>> I suppose even frameworks are code developed by people but happy to discuss.
>> Is the OWASP t10 myopic or should it cover overall AppSec risk? 
>> 
>> 
>> Eoin Keary
>> OWASP Volunteer
>> @eoinkeary
>> 
>> 
>> 
>>> On 3 Jul 2015, at 17:57, Neil Smithline <neil.smithline at owasp.org> wrote:
>>> 
>>> Do you think this should be in the T10 or provided in an accompanying doc? I think it is important to keep the T10 as 1 page per entry. That doesn't leave lots of room for more data. 
>>> 
>>>> On Wed, Jul 1, 2015, 12:03 Eoin Keary <eoin.keary at owasp.org> wrote:
>>>> I'd like to include aspects of security in relation to supporting frameworks - CVE's, configuration issues etc which are either coding bugs by proxy implementation issue.
>>>> Both have significant impact on overall risk.
>>>> Include such issues in the model?
>>>> 
>>>> We are building an report similar to 
>>>> http://www.bccriskadvisory.com/wp-content/uploads/Edgescan-Stats-Report.pdf
>>>> to reflect the first half of 2015 and can share the raw data once done.
>>>> 
>>>> Eoin Keary
>>>> OWASP Volunteer
>>>> @eoinkeary
>>>> 
>>>> 
>>>> 
>>>>> On 30 Jun 2015, at 19:39, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
>>>>> 
>>>>> The data we would contribute can be found here:
>>>>> http://www.slideshare.net/jeremiahgrossman/whitehats-website-security-statistics-report-2015
>>>>> 
>>>>> Page 6 has our vulns by likelihood to contrast against the T10.
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Jun 30, 2015, at 11:18 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>>>> 
>>>>>> +1 Jer,
>>>>>> I'd like to see the outcome after taking more vuln feeds into account. Is there any shift even due to statistical error when more sources are considered.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Eoin Keary
>>>>>> OWASP Volunteer
>>>>>> @eoinkeary
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On 30 Jun 2015, at 20:19, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
>>>>>>> 
>>>>>>> Dave,
>>>>>>> 
>>>>>>> I’d tend to agree with your conclusion. Maybe a small shift in order, but probably not no classes of attack or major changes.
>>>>>>> 
>>>>>>> 'As such, given that we don't expect the list to actually change in any substantial way, the project has decided to defer the next update to a 2017 release. ‘
>>>>>>> 
>>>>>>> That said, why do we think waiting for 2017 would change the list substantively? 
>>>>>>> 
>>>>>>> I mean, the list has barely changed over the years anyway. Doubtful most anyone could accurately determine what list is from what year. With this in mind, I wonder if we should brainstorm on new ideas for the project to make the T10 more useful and actionable to the community. Because, as great as the T10 is an an awareness tool, it’s not making the impact that we’d all like it to — otherwise the list would change.
>>>>>>> 
>>>>>>> 
>>>>>>> Regards,
>>>>>>> 
>>>>>>> Jeremiah-
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> On Jun 29, 2015, at 5:38 PM, Dave Wichers <dave.wichers at owasp.org> wrote:
>>>>>>>> 
>>>>>>>> Hey everyone,
>>>>>>>> 
>>>>>>>> I've been remiss in telling the OWASP community about the Top 10 project plans for a 2016 release. This thread has reminded me to do so (so thanks for that).
>>>>>>>> 
>>>>>>>> Historically, we've produced a new OWASP Top 10 every 3 years because this seems to balance the tempo of change in the AppSec market, all the work everyone does to map their tool/process/other thing to each version of the OWASP Top 10, and the effort required to produce it. We've been producing a new one every three years since 2004 (i.e., 2007/2010/2013), and so a new version for 2016 is due. (Definitely not happening in 2015).
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> , or copying of this message or any attachment is strictly prohibited. If you have received this transmission in error, please send an e-mail to postmaster at whitehatsec.com and delete this message, along with any attachments, from your computer.
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20150708/84d18ad2/attachment.html>


More information about the Owasp-topten mailing list