Top 10 2013/ProjectMethodology

Revision as of 10:10, 2 March 2013 by Wichers (Talk | contribs)

Jump to: navigation, search


The purpose of this page is to provide greater clarity on the development methodology of the OWASP Top 10. This page provides information on the data sources used as input to the top 10, the current development processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.

This is a wiki and editable by anyone with an OWASP account. Please constructively contribute to the conversation. Additional discussions should also take place within the OWASP top 10 mailing list.

Current Methodology

  1. Data sources accepted from a variety of companies (see Top_10_2013/ProjectMethodology#Current_Data_Sources sources)
  2. Data & professional opinion used to create initial Top 10 rankings and items
    • <dave> List involved individuals here
  3. Public comment period of RC1 from February through end of March
  4. All comments evaluated and top 10 updated appropriately by:
    • <dave> List involved individuals here
  5. All comments and responses posted publicly
  6. <dave> RC2 issued?
  7. Final version published

Current Prevalence Data Sources

  • Aspect Security
  • HP (Results for both Fortify and WebInspect)
  • Minded Security - Statistics
  • Softtek
  • TrustWave Spiderlabs
  • Veracode – Statistics
  • WhiteHat Security – Statistics

If you would like to contribute your vulnerability statistics to the OWASP Top 10 project, please send your data to: Please indicate if its OK for OWASP to publish this raw data. If you have already published this data, please provide us a link to the public posting.

Suggested Enhancements

  • Use a public wiki or google issues to capture feedback - mailing lists are tough and things get lost
  • Establish a Top 10 panel to evaluate and make final decisions on inclusion & ranking
    • Not feasible for everyone to vote on every item
    • A diverse panel representing various verticals (vendor, enterprise, offense/defense, etc)
  • Additional data sources could be considered (please add links)
    • WASC Web Hacking Incident Database
    • Akamai State of the Internet Reports
    • Firehosts Web Application Attack Reports
    • Imperva's Web Application Attack Reports
  • Additional reports could be considered:
    • Annual Symantec Internet Threat Reports
    • Datalossdb
    • IBM XForce threat reports
  • Public forum to brainstorm and discuss key topics


  • TBD