Issues Concerning The OWASP Top Ten 2013

Revision as of 08:57, 9 June 2013 by Cmlh (talk | contribs) (Initial Draft)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


The Terms of References for the "OWASP Top Ten Code of Ethics violations and project handbook." agenda item i.e.,_2013 are specified below.

There are several complaints made against Aspect Security, including,, etc

Each numbered item has been grouped into themes based on headings below:


1. The are several external complaints stating that the Sonatype/Aspect Security statistics are unscientific and bias and some examples are:

2. Aspect Security have promoted both AntiSammy and ESAPI in A1 or A3 which they also hold the Project Leadership of. However, their paid research for Sonatype states that their insecure releases are still being downloaded. Therefore, OWASP is placed inm until recently, unknown catastrophic residual risk as it appears that OWASP is hypocritical in not following their own recommendation i.e.

3. The residual risk of A9 will be accepted by the developer due to the significant cost with change i.e.

4. A9 does not direct the reader to other related open source projects, such as,, etc

5. The Press Release from Sonatype quotes Jeff Williams and was not approved under the OWASP Quotes process which he also championed as an OWASP Board Member. Furthermore, Aspect Security did not attempt to inform the OWASP Foundation once they were alerted to the publication of the Press Release i.e.

6. Aspect Security hosted a Chapter Meeting on 6 June to promote Sonatype and A9 before the actual 2013 release was accepted by the webappsec community i.e.


7. The statistics from both WhiteHat and HP (i.e. Fortify and WebInspect) require registration. Dave Wichers of Aspect Security has *not* published the promised alternate links i.e.

8. Statistics from either Trustwave, Softek or Minded Security were *not* analysed as this would have resulted in a second release of the RC or at least notification of the result i.e. and

9. Aspect Security have not published their statistical analysis i.e. For comparison purposes, Minded Security were able to publish their effort within less than a month (28 January to 19 February).


10. Softek are *not* listed as a sponsor within the pages of the deliverable as Aspect Security have taken this space for their own enlarged company logo i.e.


11. The formal complaint is available from