[Owasp-topten] [Owasp-leaders] OWASP Top Ten: Project Activity?

Neil Smithline neil.smithline at owasp.org
Wed Jul 8 15:28:59 UTC 2015

(Reply trimmed per requests)

Taking a step back, I think that the T10 continues to be so useful because

   1. It is aimed at people of all skills. Noobs use it as an introduction
   to web app sec, experienced devs used it as a checklist and reference.
   2. It is a very approachable document. The formatting of each risk on a
   page of its own in a standard format makes it accessible.
   3. It is easy and meaningful to include it in a standard.
   4. It is easy to add T10 support to security tools.

I'm sure one could add more, but these are the ones that have been floating
around in my head while reading this email thread. I find myself protective
of these attributes of the T10.

I think what you are suggesting is that data about flaws found in web app
frameworks be included in the T10's data set. I guess I'm not exactly sure
how to do that. The T10 list is created using a large data set of many
applications. How would/could you add data about a small number of
frameworks into such a large data set? Unless you were to add weight to the
flaws found in frameworks, I don't think that they would have much
influence. If you do add weights to framework flaws, how would you do it?

I'm also not sure how adding this data will help the T10. If the addition
of this data were to skew the T10 towards framework authors, I think it
would be detrimental to the T10.

If you think this information would be helpful to framework authors, then
perhaps it warrants a document of its own?


Neil Smithline

On Wed, Jul 8, 2015 at 7:16 AM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Hi Neil,
> The thread is over a massive 40kb!! So my response is bouncing. The list
> admin, David, could increase it to a decent size if he wished. It's very
> simple to do as I have admin in a number of lists myself.....anyways is was
> saying:.....:including framework CVE into the t10 would shake things up
> again after all frameworks are code too, and also prone to developer error
> on the part of the framework developers.
> I'd explain more but every byte counts like we're in the 80's
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20150708/71023486/attachment.html>

More information about the Owasp-topten mailing list