[Owasp-topten] [Owasp-bayarea] Top Ten 2016 (time for a refresh)

Blake blake at hotwan.com
Thu Feb 4 19:59:58 UTC 2016

Yes, only relevant CVEs that pertain to top web app stuff. We got several
years of good data on that.

Bug bounty programs have increasing relevance nowadays. Crowdsourced hacking
from all over the world find bugs in people’s websites 24/7/365 and they get
paid either thru an internal program like PayPal's or an external company
like Bug Crowd, Hackerone, etc.

I feel Bug Bounties are more legitimate and representative of a top 10 than
some web app security company submitting their anonymized findings of their
previous assessments.

Bug bounty findings are validated findings hence a tangible payout.

Security company assessments stats are skewed with the inclusion of a bunch
of potential false positives introduced as vulns.  These false positives are
only later discovered by the receiving clients and or other 3rd party
auditors who review the work of the previous Security company assessment.
This delta of error is rarely conveyed back to the security company that
provided the original assessment so their stats.

 Say for example, 

A company may say, "we found 1,000 different cross-site scripting bugs on a
website" when in fact there maybe only 2 after someone else outside the
assessment validated those findings.

Hope this makes sense.

-Blake Turrentine

From:  Dave Wichers <dave.wichers at owasp.org>
Date:  Thursday, February 4, 2016 at 10:45 AM
To:  docs <blake at electronicrealm.com>
Cc:  docs <blake at hotwan.com>, <Owasp-bayarea at lists.owasp.org>, 박형근
<mirrk1 at gmail.com>, OWASP TopTen <Owasp-topten at lists.owasp.org>
Subject:  Re: [Owasp-bayarea] [Owasp-topten] Top Ten 2016 (time for a

Each Top 10 item refers to the relevant CVEs if that's what you mean. I
definately plan to reference Dependency Check in the new Top 10.
Not sure how bug bounty programs would relate to the Top 10...

On Wed, Feb 3, 2016 at 10:34 AM, Blake <blake at electronicrealm.com> wrote:
> Thank you Dave.
> Have we incorporated CVE’s in the past?  Not necessarily under the general
> category " A9 - Using Components with Known Vulnerabilities
> <https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vu
> lnerabilities>  “ but make it more specific as to the type of vulns found in
> them. (Jeremy Long’s Dependency Checktool comes to mind.)
> Also, I’m hoping we can rope in the bug bounty folks / companies.  Jason
> Haddix, a great supporter of OWASP, may give us some guidance.
> Furthermore, I’ve worked with a few companies that have internal BB that may
> help out.
> -Blake Turrentine
> HotWAN
> From:  <owasp-bayarea-bounces at lists.owasp.org> on behalf of Dave Wichers
> <dave.wichers at owasp.org>
> Date:  Wednesday, February 3, 2016 at 6:44 AM
> To:  docs <blake at hotwan.com>
> Cc:  <Owasp-bayarea at lists.owasp.org>, 박형근 <mirrk1 at gmail.com>, OWASP TopTen
> <Owasp-topten at lists.owasp.org>
> Subject:  Re: [Owasp-bayarea] [Owasp-topten] Top Ten 2016 (time for a refresh)
> I need to issue a data call. I plan to do that by end of February and make it
> public, whereas previously I simply asked for specific organizations to
> contribute. I'm going to provide a template of what the input needs to look
> like and then anyone who wants to can contribute there data.
> We'll then have to sort through it all and decide what the next Top 10 items
> are going to be based on this input and other trends we are seeing in
> industry.
> At that point, it would be good to discuss your ideas around including other
> material like you suggest.
> -Dave
> On Tue, Feb 2, 2016 at 12:02 AM, Blake <blake at hotwan.com> wrote:
>> Awesome for the help!
>> 박형근, I am trying to see what’s been done so far -if anything for updating Top
>> 10 for 2016.
>> Trying to reach out Dave Wichers, the former project lead of OWASP Top 10
>> -2013 to see what’s going on.
>> I have some ideas on representing Web Services and APIs (OAuth, etc) a little
>> better in the mix as well as augmenting vulnerability prevalence data to
>> support the new rankings.
>> -Blake Turrentine
>> From:  박형근 <mirrk1 at gmail.com>
>> Date:  Monday, February 1, 2016 at 8:06 PM
>> To:  docs <blake at hotwan.com>
>> Subject:  Re: [Owasp-topten] Top Ten 2016
>> Hello, Blake. 
>> Are you in the development of Top Ten 2016?
>> What is the time frame?
>> I will support you with Korean security experts.
>> Thanks a lot. 
>> Best regards. 
>> 2016-02-02 3:44 GMT+09:00 Blake <blake at hotwan.com>:
>>> Hi,
>>> Checking in to see where we are at with the development of Top Ten 2016.
>>> Looking to help out.
>>> Cheers,
>>> Blake Turrentine
>>> _______________________________________________
>>> Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>> -- 
>> Park, Hyungkeun, CGEIT, CISSP, CISA, IBM Security Technical Leader, SWG, IBM
>> Korea.
>> TEL. 82-2-3781-7963, FAX. 82-31-213-8283, HP 010-4995-7963, E-mail :
>> phk at kr.ibm.com
>> Office Address :  16th Fl., Military Mutual Aid Association Bldg 467-12,
>> Dogok-dong, Gangnam-gu, Seoul, Korea (Zip Code : 135-270)
>> Twitter: http://twitter.com/securityinsight
>> Facebook: http://www.facebook.com/hyungkeun.park
>> Web Site: http://www.securityplus.or.kr
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
> _______________________________________________ Owasp-bayarea mailing list
> Owasp-bayarea at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-ba
> yarea

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20160204/383da99a/attachment-0001.html>

More information about the Owasp-topten mailing list