[Owasp-topten] [Owasp-leaders] Released: OWASP Top 10 – 2017 Release Candidate

psiinon psiinon at gmail.com
Wed Apr 12 09:09:16 UTC 2017


Another concern I have is the transparency of this project.
Who made the decisions? Was it a couple of individuals? A team?
And on what basis were the decisions made?

I'm not criticizing how it was done, partly because it seems to be very
opaque :) I've certainly not seen any meaningful discussions about the doc
on this list before the RC1 was released.
And I'm not suggesting it actually needs to be changed, eg by putting it to
a common vote either - that brings its own set of problems ;)
However the categories and ordering (still) look to me to be very
subjective. There may well be data behind them but its the interpretation
that is key.
I think that a document explaining the process and thoughts behind the
interpretation would really help - I dont think its needs to be in the Top
10 doc but I think this info should be there for those of us who care about
it. I also want to see a summary of the data collected.
How can we review any of the RCs if we dont understand on what basis they
were created?

Cheers,

Simon

On Wed, Apr 12, 2017 at 8:31 AM, psiinon <psiinon at gmail.com> wrote:

> As per Jeremiah's tweet https://twitter.com/jeremiahg/
> status/851562562634137600 I think one of the biggest security risks to
> any medium-large organization is unknown sites / applications and
> functionality.
> Not having a category like this in the Top 10 feels like a huge omission
> to me.
> Who here in an organization of any non trivial size is not worried about
> what they dont know has been deployed?
>
> Cheers,
>
> Simon
>
> On Mon, Apr 10, 2017 at 3:36 PM, Dave Wichers <dave.wichers at owasp.org>
> wrote:
>
>> OWASP Leaders!
>>
>>
>>
>> The Release Candidate for the OWASP Top 10 – 2017 is now available!
>> (Attached)
>>
>>
>>
>> *It’s also available for Download here
>> <https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf>*
>>
>>
>>
>> Please forward to all the developers and development teams you know!! I’d
>> love to get feedback from them too, and to start immediately raising
>> awareness about what’s changed in this update to the OWASP Top 10. The
>> primary change is the addition of two new categories:
>>
>>
>> *2017-A7: Insufficient Attack Protection*
>>
>> *2017-A10: Underprotected APIs*
>>
>>
>>
>> We plan to release the final version of the OWASP Top 10 - 2017 in July
>> or Aug. 2017 after a public comment period ending June 30, 2017.
>>
>>
>>
>> Constructive comments on this OWASP Top 10 - 2017 Release Candidate should
>> be forwarded via email to OWASP-TopTen at lists.owasp.org. Private comments
>> may be sent to dave.wichers at owasp.org .  Anonymous comments are
>> welcome.  All  non-private comments will be catalogued and published at the
>> same time as the final public release.  Comments recommending changes to
>> the items listed in the Top 10 should include a complete suggested list
>> of changes, along with a rationale for any changes. All comments should
>> indicate the specific relevant page and section.
>>
>>
>>
>> Your feedback is critical to the continued success of the OWASP Top 10 Project.
>> Thank you all for your dedication to improving the security of the world’s
>> software for everyone.
>>
>>
>>
>> Thanks, Dave
>>
>>
>>
>> OWASP Top 10 Project Lead
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>



-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170412/b23369ae/attachment.html>


More information about the Owasp-topten mailing list