Top 10 2013/ProjectMethodology
The purpose of this page is to provide greater clarity to the methodology of the OWASP Top 10 project. This page will provide information on the data and individuals involved in the top 10, the current processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.
This is a wiki and editable by anyone with an owasp account. Please constructively contribute to the conversation. Additional discussions should also take place within the OWASP top 10 mailing list.
Current Data Sources
- Use a public wiki to capture feedback - mailing lists are tough and things get lost
- Establish a Top 10 panel to evaluate and make final decisions on inclusion & ranking
- Not feasible for everyone to vote on every item
- A diverse panel representing various verticals (vendor, enterprise, offense/defense, etc)
- Additional data sources could be considered (please add links)
- WASC Web Hacking Incident Database
- Akamai State of the Internet Reports
- Firehosts Web Application Attack Reports
- Imperva's Web Application Attack Reports
- Additional reports could be considered:
- Annual Symantec Internet Threat Reports
- IBM XForce threat reports