[Owasp-topten] [Owasp-leaders] Released: OWASP Top 10 – 2017 Release Candidate

psiinon psiinon at gmail.com
Thu Apr 13 08:05:27 UTC 2017


Thanks Dave,

I think its really useful to have this data publicly available.

Cheers,

Simon

On Wed, Apr 12, 2017 at 3:34 PM, Dave Wichers <dave.wichers at owasp.org>
wrote:

> The data set we collected for the 2017 Top 10 and the basic analysis we
> did on it is in this folder on github: https://github.com/
> OWASP/Top10/blob/master/2017/datacall/. Its a simple excel spreadsheet.
>
> And both A7 and A10 are a bit complex (or at least new), so we plan to
> write or augment some articles on the OWASP Wiki itself to provide further
> explanation. A single page is very hard to get all your ideas/points across
> for a complex category clearly (esp. A7).
>
> -Dave
>
>
> On Wed, Apr 12, 2017 at 5:09 AM, psiinon <psiinon at gmail.com> wrote:
>
>> Another concern I have is the transparency of this project.
>> Who made the decisions? Was it a couple of individuals? A team?
>> And on what basis were the decisions made?
>>
>> I'm not criticizing how it was done, partly because it seems to be very
>> opaque :) I've certainly not seen any meaningful discussions about the doc
>> on this list before the RC1 was released.
>> And I'm not suggesting it actually needs to be changed, eg by putting it
>> to a common vote either - that brings its own set of problems ;)
>> However the categories and ordering (still) look to me to be very
>> subjective. There may well be data behind them but its the interpretation
>> that is key.
>> I think that a document explaining the process and thoughts behind the
>> interpretation would really help - I dont think its needs to be in the Top
>> 10 doc but I think this info should be there for those of us who care about
>> it. I also want to see a summary of the data collected.
>> How can we review any of the RCs if we dont understand on what basis they
>> were created?
>>
>> Cheers,
>>
>> Simon
>>
>> On Wed, Apr 12, 2017 at 8:31 AM, psiinon <psiinon at gmail.com> wrote:
>>
>>> As per Jeremiah's tweet https://twitter.com/jeremiahg/
>>> status/851562562634137600 I think one of the biggest security risks to
>>> any medium-large organization is unknown sites / applications and
>>> functionality.
>>> Not having a category like this in the Top 10 feels like a huge omission
>>> to me.
>>> Who here in an organization of any non trivial size is not worried about
>>> what they dont know has been deployed?
>>>
>>> Cheers,
>>>
>>> Simon
>>>
>>> On Mon, Apr 10, 2017 at 3:36 PM, Dave Wichers <dave.wichers at owasp.org>
>>> wrote:
>>>
>>>> OWASP Leaders!
>>>>
>>>>
>>>>
>>>> The Release Candidate for the OWASP Top 10 – 2017 is now available!
>>>> (Attached)
>>>>
>>>>
>>>>
>>>> *It’s also available for Download here
>>>> <https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf>*
>>>>
>>>>
>>>>
>>>> Please forward to all the developers and development teams you know!!
>>>> I’d love to get feedback from them too, and to start immediately raising
>>>> awareness about what’s changed in this update to the OWASP Top 10. The
>>>> primary change is the addition of two new categories:
>>>>
>>>>
>>>> *2017-A7: Insufficient Attack Protection*
>>>>
>>>> *2017-A10: Underprotected APIs*
>>>>
>>>>
>>>>
>>>> We plan to release the final version of the OWASP Top 10 - 2017 in
>>>> July or Aug. 2017 after a public comment period ending June 30, 2017.
>>>>
>>>>
>>>>
>>>> Constructive comments on this OWASP Top 10 - 2017 Release Candidate should
>>>> be forwarded via email to OWASP-TopTen at lists.owasp.org. Private
>>>> comments may be sent to dave.wichers at owasp.org .  Anonymous comments
>>>> are welcome.  All  non-private comments will be catalogued and published at
>>>> the same time as the final public release.  Comments recommending
>>>> changes to the items listed in the Top 10 should include a complete
>>>> suggested list of changes, along with a rationale for any changes. All
>>>> comments should indicate the specific relevant page and section.
>>>>
>>>>
>>>>
>>>> Your feedback is critical to the continued success of the OWASP Top 10 Project.
>>>> Thank you all for your dedication to improving the security of the world’s
>>>> software for everyone.
>>>>
>>>>
>>>>
>>>> Thanks, Dave
>>>>
>>>>
>>>>
>>>> OWASP Top 10 Project Lead
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170413/03458418/attachment-0001.html>


More information about the Owasp-topten mailing list