[Owasp-topten] OWASP Top 10 Summit Outcomes

Christian Folini christian.folini at netnea.com
Mon Jun 12 18:54:09 UTC 2017


Thank you for this detailed report Andrew.

I was growing uneasy with the sudden departure of Dave from the project
leader position, but your report is crystal clear and gives me
confidence that you guys are doing very good work.

But let me follow up on one issue that points beyond Top10.

On Tue, Jun 13, 2017 at 12:56:11AM +1000, Andrew van der Stock wrote:
>    - I will take a motion to the Board asking for a change to the Project
>    Leader Handbook, where Flagship projects will have a six month grace period
>    to obtain at least two leaders from two different firms to avoid
>    perceptions of vendor lock in either in actuality or perceived. There is no
>    restriction on a single leader from a single company controlling a Flagship
>    project at the moment, so I want to de-couple the other issues from the
>    independence issue.

This makes perfect sense for Top10 where independence has been put into
question again and again. But you want to enforce a rule that makes
sense here to other projects. I'm a member of the OWASP ModSecurity
Core Rule Set Project that has been doing fine with a single project
leader since its inception and promotion to flagship status.

I see that this is only a motion, but I think general rules are hard to
get right and decisions as these should be taken on a case by case base.

Just my 2 cents.

Christian Folini




>    - There will be a transparent and documented decision to ensure that up
>    to 2 of the OWASP Top 10 issues will be forward looking, and that the
>    community should drive the consensus for what they will be. I will open up
>    a discussion on OWASP Leaders and elsewhere with a short vote on what the 2
>    for 2017 should be, including the existing two issues, XXE and object
>    serialization, and I'll figure one out from the also rans of the data
>    collection process.
> 
> 
> *Session 2: OWASP Top 10 Data Collection Process*
> 
> We talked about the way data was collected and process by which it was
> analysed. For 2017, there was an open call for data, but it wasn't widely
> reported nor pushed once open, and this might have resulted in fewer
> responses than in a perfect world. There was a lot of discussion around the
> process, if we use data scientists, can we use the existing data, and if we
> re-open the data collection. It was incredibly valuable discussion, and I
> think it struck a good pragmatic balance. We want to drive a release this
> year, but RC2 will not come out this week, so we will not be running
> editing / creating sessions this week, but will instead work on getting a
> bit more data in.
> 
> The outcomes from this session are:
> 
>    - A data collection process and timeline will be published to the wiki
>    to make sure everyone knows how data is collected and analysed, and when
>    the next data call will be held. Some of this will appear in the text,
>    probably an appendix to make sure that our process is transparent and open.
>    - I will work on a process with Foundation staff to ensure that we can
>    maximise publicity for the next data call round in 2019. There was
>    discussion of keeping it open all the time, but honestly, unless we can get
>    a data scientist to volunteer, I doubt we could make use of that
>    contribution. For smaller consultancies, obtaining this data is already
>    difficult, and we don't want folks to be overly burdened by the data call.
>    - A data call extension will be pushed out for interested parties. I
>    will do this tomorrow as it's quite late here already. As long as data is
>    roughly in the same Excel format as the existing call and provided by the
>    end of July, I think we can use it.
>    - Dave will reach out to Brian Glas to obtain feedback for tomorrow's
>    data weighting session to be held in the morning.
>    - For 2020, we will try to find data scientists to help us to improve
>    our data methodology and analysis, so that for the non-forward looking data
>    at least, we can ensure that data drives inclusion.
>    - Ordering will never be strictly data order; to provide continuity,
>    there is a decision (which will now be documented) that if A1 ... A3 in
>    2010 are the same in 2017 but in a slightly different order, those will
>    retain a previous order. This helps folks map results year on year and
>    prevents massive upheaval between years.
>    - Feedback obtained from the OWASP Top 10 mail list will end up in Git
>    Hub tomorrow as issues. Feedback sent privately to Dave, I will reach out
>    to these individuals to ask permission to create issues at GitHub. This
>    will help with project transparency. From now on, if you have feedback,
>    please provide it at GitHub: https://github.com/OWASP/Top10/issues
> 
> This session kept on coming back to the weighting, and we looked at that
> briefly. However, we have a session tomorrow morning for that, so I would
> suggest participants look over the following blog posts before the session
> to see where we can make improvements, either this time around (and
> document it!), or if it will apply to 2020 and beyond. Thats for tomorrow.
> 
> 
>    - https://nvisium.com/blog/2017/04/18/musings-on-the-owasp-
>    top-10-2017-rc1/
>    - https://nvisium.com/blog/2017/04/24/musings-on-the-owasp-
>    top-10-2017-rc1-pt2/
>    - https://snyk.io/blog/owasp-top-10-breaches/
> 
> 
> I do want to point out that we probably should include impact as that's
> part of a traditional risk, but we also need to be fair to all data
> participants when weighting supplied data. Once we've made a decision, that
> will be documented for 2017, and we will obtain advice for 2020, 2023.
> 
> Lastly, we worked on what the sessions will be. Considering the decisions
> taken in consensus, it will not be possible to release an RC2 this week,
> especially if we take more data. So we will return to looking over the A7
> on Tuesday afternoon and A10 on Wednesday morning sessions. These are new
> forward looking items, and may be with sufficient disclosure and possibly a
> bit of rewording or re-ordering, we might be able to include them. Let's
> work it out. Please participate.
> 
> thanks,
> Andrew

> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten


-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini at netnea.com
twitter: @ChrFolini


More information about the Owasp-topten mailing list