[Owasp-topten] OWASP Summit - Day 2 Outcomes
Andrew van der Stock
vanderaj at owasp.org
Tue Jun 13 14:07:25 UTC 2017
*Session #1 Data Weighting*
This was a great session, where we agreed on what's staying and the "why"
weighting and normalization.
There will be a second data call, ending on August 25. If you can provide
data in the same format as found here (
that would be great. We are looking for large and small data sets - tool or
human driven, we want it all. We will get that out widely once I have a a
chance to talk it over with Foundation Staff. I will reach out to those who
have volunteered recently, but there will be a widespread and coordinated
social media blitz once we're ready to do it. I want this to be a trial run
for the OWASP Top 10 2020 data collection so we can learn from it as well.
Secondly, I will work with Brian Glas to define a set of 5-10 "on the cusp"
/ forward looking inclusions and let the community decide the fate of A7 /
A10. Depending on the risk rating of the issues that are likely to be
considered (XXE, Serialization, etc) may mean A7 and A10 move around a bit.
Thirdly, I will work with Brian Glas and others to help define not only the
final weighting for 2017, but some interesting questions for the 2020 data
call, so basically, what could be done better for next time. We have agreed
in this session, it's too late to change the data collection as we've
already collected a lot of data.
Lastly, we have decided on a final date for the next release of the OWASP
Top 10 2017 - late November, probably just before Thanksgiving. I will try
to get it out the week before. This drives various dates before then. We
are looking for a relatively final release candidate in October to make
sure that the data has had time to be analysed and included.
- We are keeping 8 (A1, A2, A3, A4, A5, A6, A8, A9) - consensus view
- Data call open immediately to August 25
- Data format is to be the same for the 2017 data call for any
- Get enough data for repeatable data calls in later years
- In conjunction, survey community to develop the two forward looking
items, also August 25
- Compile a survey by June 30 (Brian Glas / AJV + anyone),
- November 25, 2017
*Session #2 Review of A7 (and A10)*
Dave took us through how A7 and A10 came to be, and honestly, after initial
skepticism, this one really grew on me. The number of times I've performed
a full throttle pen test and the client hasn't detected me or even noticed
I'm now an admin with all the data is a bit worrying, so I think as we've
decided that up to two forward looking issues are to be reserved per
edition, I am actually pretty okay with this issue now. However, we are
still going to do the data call and it might still miss out or be made into
a lower priority. We will see.
I added in all of the feedback that Dave had. If any feedback is missing,
please log it to Github.
- Rename the section to Insufficient Attack Preparation or Insufficient
detection and response
- Ensure that products and services are OWASP aligned, e.g. Name OWASP
projects and remove commercial offerings
- This is an "app" problem, helps dev and ops to work together, and
should encourage. Nothing about ops in it, first devops issue. Might add
more to existing text to make it more aligned with the devops movement
*Still in the air:*
- Dave suggests we release an intermediate RC2 this month, RC3 later in
the year and document that process and dates
- AJV notes he is moving countries and may not achieve this in June. AJV
wants to do weekly releases or just track master on Github.
I will make a decision on this depending on how much I have on my plate. I
have to be realistic here as much as I want the issues documented in Github
taken care of
Torsten suggested we use a Top 10 for Developers (). I will follow up with
him to find this and also to think about OWASP Top 10 for Defenders to
complement OWASP Proactive Controls / OWASP Top 10 Risks. This is not
decided or an agreed outcome.
*Review of the OWASP Top 10 RC1*
If you want to spend time reviewing the current draft, please do so, and
provide feedback here:
Please only one issue per area (i.e. "F" or "A3"), with the format of "what
is wrong", "argument or data that backs your change", and "proposed
change". If it's just a small typo, spelling error, or minor edit, no
argument data is required.
*End of the OWASP Top 10 track*
The rest of the week is free time. Thank you to everyone who participated
in person and remotely. We had a few audio issues, but once video was
dropped it came good.
We have made it to a point where action items need to be done by me and
Brian Glas on the data call and editing the issues in Github. I don't want
to waste folks time especially as there are so many great sessions on is
for the attendees aiming to attend OWASP Top 10 tracks to find other tracks
to learn more about the other great projects and initiatives at OWASP.
I am moving countries, but I will try to make myself available. I'm
obviously available here via e-mail and Hangouts, but also on Skype
(vanderaj), on Twitter (@vanderaj). I do maintain a somewhat active
presence on Google+ but I know few of you do. +Andrew van der Stock. I'd
give my cell number, but it's got about 6 days to live, so yeah, nah.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten