Difference between revisions of "Issues Concerning The OWASP Top Ten 2013"

From OWASP
Jump to: navigation, search
(http://lists.owasp.org/pipermail/owasp-topten/2013-June/001108.html)
Line 1: Line 1:
''[Note that the contents of this page are representative of the authors' opinions and not necessarily of OWASP or its members.]''
 
 
 
INTRODUCTION
 
INTRODUCTION
  
 
The Terms of References for the "OWASP Top Ten Code of Ethics violations and project handbook." agenda item i.e. https://www.owasp.org/index.php/June_10,_2013 are specified below.
 
The Terms of References for the "OWASP Top Ten Code of Ethics violations and project handbook." agenda item i.e. https://www.owasp.org/index.php/June_10,_2013 are specified below.
  
There are several complaints made against Aspect Security, including http://lists.owasp.org/pipermail/owasp-leaders/2013-June/009432.html, http://lists.owasp.org/pipermail/owasp-topten/2013-May/date.html, etc
+
There are several complaints made against Aspect Security by OWASP Members, including http://lists.owasp.org/pipermail/owasp-leaders/2013-June/009432.html, http://lists.owasp.org/pipermail/owasp-topten/2013-May/date.html, etc
  
 
Each numbered item has been grouped into themes based on headings below:
 
Each numbered item has been grouped into themes based on headings below:
Line 11: Line 9:
 
A9 AND SONATYPE
 
A9 AND SONATYPE
  
1. The are several external complaints stating that the Sonatype/Aspect Security statistics are unscientific and bias and some examples are:
+
1. The are several external complaints from OWASP members stating that the Sonatype/Aspect Security statistics are unscientific and bias and some examples are:
 
* GWT i.e. https://groups.google.com/forum/?fromgroups#!topic/google-web-toolkit/Ezr6acdyZv0
 
* GWT i.e. https://groups.google.com/forum/?fromgroups#!topic/google-web-toolkit/Ezr6acdyZv0
 
* SpringSource i.e. http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/.  Furthermore, as the disclosure by Aspect Security occurred in January 2013 this conflicts with their statement that the statistics were sampled well before 2013.
 
* SpringSource i.e. http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/.  Furthermore, as the disclosure by Aspect Security occurred in January 2013 this conflicts with their statement that the statistics were sampled well before 2013.
Line 27: Line 25:
 
OTHER SOURCES OF STATISTICS
 
OTHER SOURCES OF STATISTICS
  
7. The statistics from both WhiteHat and HP (i.e. Fortify and WebInspect) require registration.  Dave Wichers of Aspect Security has *not* published the promised alternate links i.e.  http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html  
+
7. The statistics from both WhiteHat and HP (i.e. Fortify and WebInspect) require registration.  <del>Dave Wichers of Aspect Security has *not* published the promised alternate links i.e.  http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html</del>
  
8. Statistics from either Trustwave, Softek or Minded Security were *not* analysed as this would have resulted in a second release of the RC or at least notification of the result i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001054.html and http://lists.owasp.org/pipermail/owasp-topten/2013-May/001080.html
+
8. Statistics from either Trustwave<del>, Softek or</del> Minded Security were *not* analysed as this would have resulted in a second release of the RC or at least notification of the result i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001054.html and http://lists.owasp.org/pipermail/owasp-topten/2013-May/001080.html
  
 
9. Aspect Security have not published their statistical analysis i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001096.html  For comparison purposes, Minded Security were able to publish their effort within less than a month (28 January to 19 February).
 
9. Aspect Security have not published their statistical analysis i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001096.html  For comparison purposes, Minded Security were able to publish their effort within less than a month (28 January to 19 February).
Line 35: Line 33:
 
2010 RELEASE
 
2010 RELEASE
  
10. Softek are *not* listed as a sponsor within the pages of the deliverable as Aspect Security have taken this space for their own enlarged company logo i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001039.html
+
10. Softek are *not* listed as a sponsor within the pages of the 2010 deliverable as Aspect Security have taken this space for their own enlarged company logo i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001039.html
  
 
ABUSE FROM ARSHAN DABIRSIAGHI OF ASPECT SECURITY
 
ABUSE FROM ARSHAN DABIRSIAGHI OF ASPECT SECURITY
  
 
11. The formal complaint is available from http://lists.owasp.org/pipermail/owasp-topten/2013-June/001099.html
 
11. The formal complaint is available from http://lists.owasp.org/pipermail/owasp-topten/2013-June/001099.html

Revision as of 20:00, 9 June 2013

INTRODUCTION

The Terms of References for the "OWASP Top Ten Code of Ethics violations and project handbook." agenda item i.e. https://www.owasp.org/index.php/June_10,_2013 are specified below.

There are several complaints made against Aspect Security by OWASP Members, including http://lists.owasp.org/pipermail/owasp-leaders/2013-June/009432.html, http://lists.owasp.org/pipermail/owasp-topten/2013-May/date.html, etc

Each numbered item has been grouped into themes based on headings below:

A9 AND SONATYPE

1. The are several external complaints from OWASP members stating that the Sonatype/Aspect Security statistics are unscientific and bias and some examples are:

2. Aspect Security have promoted both AntiSammy and ESAPI in A1 or A3 which they also hold the Project Leadership of. However, their paid research for Sonatype states that their insecure releases are still being downloaded. Therefore, OWASP is placed inm until recently, unknown catastrophic residual risk as it appears that OWASP is hypocritical in not following their own recommendation i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001095.html

3. The residual risk of A9 will be accepted by the developer due to the significant cost with change i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-February/000844.html

4. A9 does not direct the reader to other related open source projects, such as https://github.com/gcmurphy/enforce-victims-rule, https://github.com/jeremylong/DependencyCheck, etc

5. The Press Release from Sonatype quotes Jeff Williams and was not approved under the OWASP Quotes process which he also championed as an OWASP Board Member. Furthermore, Aspect Security did not attempt to inform the OWASP Foundation once they were alerted to the publication of the Press Release i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001017.html

6. Aspect Security hosted a Chapter Meeting on 6 June to promote Sonatype and A9 before the actual 2013 release was accepted by the webappsec community i.e. http://www.meetup.com/OWASP-Baltimore-Chapter/events/119389612/

OTHER SOURCES OF STATISTICS

7. The statistics from both WhiteHat and HP (i.e. Fortify and WebInspect) require registration. Dave Wichers of Aspect Security has *not* published the promised alternate links i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html

8. Statistics from either Trustwave, Softek or Minded Security were *not* analysed as this would have resulted in a second release of the RC or at least notification of the result i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001054.html and http://lists.owasp.org/pipermail/owasp-topten/2013-May/001080.html

9. Aspect Security have not published their statistical analysis i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001096.html For comparison purposes, Minded Security were able to publish their effort within less than a month (28 January to 19 February).

2010 RELEASE

10. Softek are *not* listed as a sponsor within the pages of the 2010 deliverable as Aspect Security have taken this space for their own enlarged company logo i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001039.html

ABUSE FROM ARSHAN DABIRSIAGHI OF ASPECT SECURITY

11. The formal complaint is available from http://lists.owasp.org/pipermail/owasp-topten/2013-June/001099.html