Issues Concerning The OWASP Top Ten 2013

INTRODUCTION

The Terms of References for the "OWASP Top Ten Code of Ethics violations and project handbook." agenda item i.e. https://www.owasp.org/index.php/June_10,_2013 are specified below.

There are several complaints made against Aspect Security, including http://lists.owasp.org/pipermail/owasp-leaders/2013-June/009432.html, http://lists.owasp.org/pipermail/owasp-topten/2013-May/date.html, etc

Each numbered item has been grouped into themes based on headings below:

A9 AND SONATYPE

1. The are several external complaints stating that the Sonatype/Aspect Security statistics are unscientific and bias and some examples are:
 * GWT i.e. https://groups.google.com/forum/?fromgroups#!topic/google-web-toolkit/Ezr6acdyZv0
 * SpringSource i.e. http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/. Furthermore, as the disclosure by Aspect Security occurred in January 2013 this conflicts with their statement that the statistics were sampled well before 2013.

2. Aspect Security have promoted both AntiSammy and ESAPI in A1 or A3 which they also hold the Project Leadership of. However, their paid research for Sonatype states that their insecure releases are still being downloaded. Therefore, OWASP is placed inm until recently, unknown catastrophic residual risk as it appears that OWASP is hypocritical in not following their own recommendation i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001095.html

3. The residual risk of A9 will be accepted by the developer due to the significant cost with change i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-February/000844.html

4. A9 does not direct the reader to other related open source projects, such as https://github.com/gcmurphy/enforce-victims-rule, https://github.com/jeremylong/DependencyCheck, etc

5. The Press Release from Sonatype quotes Jeff Williams and was not approved under the OWASP Quotes process which he also championed as an OWASP Board Member. Furthermore, Aspect Security did not attempt to inform the OWASP Foundation once they were alerted to the publication of the Press Release i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001017.html

6. Aspect Security hosted a Chapter Meeting on 6 June to promote Sonatype and A9 before the actual 2013 release was accepted by the webappsec community i.e. http://www.meetup.com/OWASP-Baltimore-Chapter/events/119389612/

OTHER SOURCES OF STATISTICS

7. The statistics from both WhiteHat and HP (i.e. Fortify and WebInspect) require registration. Dave Wichers of Aspect Security has *not* published the promised alternate links i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html

8. Statistics from either Trustwave, Softek or Minded Security were *not* analysed as this would have resulted in a second release of the RC or at least notification of the result i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001054.html and http://lists.owasp.org/pipermail/owasp-topten/2013-May/001080.html

9. Aspect Security have not published their statistical analysis i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001096.html For comparison purposes, Minded Security were able to publish their effort within less than a month (28 January to 19 February).

2010 RELEASE

10. Softek are *not* listed as a sponsor within the pages of the deliverable as Aspect Security have taken this space for their own enlarged company logo i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001039.html

ABUSE FROM ARSHAN DABIRSIAGHI OF ASPECT SECURITY

11. The formal complaint is available from http://lists.owasp.org/pipermail/owasp-topten/2013-June/001099.html