[Owasp-topten] RC Feedback, Question about Purpose

Tim Goddard tim at goddard.nz
Mon Apr 10 22:53:11 UTC 2017

Hi all,

Just some personal feedback and a question around the OWASP top ten
2017 RC today. Clearly the shift here seems to be away from specific
issues towards broader categories (as the 2010 to 2013 move was also).

My background is as a software developer and am now a pentester, so
I've personally had two major uses for the top ten in the past:

1. As a learning guide and professional standard for developers. For
example, if hiring junior developers I might check they are aware of
the top three, whereas I would expect a senior/principal developer to
be able to give me an example of any of the top ten, and what
practices they would follow to prevent it.

2. As a classification tool for security issues, helping to identify
relevant materials and group issues with similar causes or similar

While the new 2017 list is likely to cover a wider range of issues for
the second purpose by adding more broad categories, I feel that the
new categories are so broad as to disrupt the developer standards
angle. I can't claim to fully understand these categories as a
pentester, let alone expect developers to do so as a core competency.

So the main question this prompts me to ask is: "What is the purpose
of the OWASP top ten?"

Kind regards,


More information about the Owasp-topten mailing list