Difference between revisions of "Top 10 2013/ProjectMethodology"

From OWASP
Jump to: navigation, search
(Suggested Enhancements)
Line 1: Line 1:
 
=About=
 
=About=
The purpose of this page is to provide greater clarity to the methodology of the OWASP Top 10 project.  This page will provide information on the data and individuals involved in the top 10, the current processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.
+
The purpose of this page is to provide greater clarity on the development methodology of the OWASP Top 10.  This page provides information on the data sources used as input to the top 10, the current development processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.
  
This is a wiki and editable by anyone with an owasp account. Please constructively contribute to the conversation.  Additional discussions should also take place within the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP top 10 mailing list].
+
This is a wiki and editable by anyone with an OWASP account. Please constructively contribute to the conversation.  Additional discussions should also take place within the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP top 10 mailing list].
  
 
=Current Methodology=
 
=Current Methodology=
# Data sources accepted from a variety of companies (see [https://owasp.org/index.php/Top_10_2013/ProjectMethodology#Current_Data_Sources sources])
+
# Data sources accepted from a variety of companies (see [[Top_10_2013/ProjectMethodology#Current_Data_Sources sources]])
 
# Data & professional opinion used to create initial Top 10 rankings and items
 
# Data & professional opinion used to create initial Top 10 rankings and items
 
#* <dave> List involved individuals here
 
#* <dave> List involved individuals here
Line 17: Line 17:
 
# Final version published
 
# Final version published
  
=Current Data Sources=
+
=Current Prevalence Data Sources=
 
* Aspect Security
 
* Aspect Security
 
* HP (Results for both Fortify and WebInspect)
 
* HP (Results for both Fortify and WebInspect)
* Minded Security
+
* Minded Security - [http://blog.mindedsecurity.com/2013/02/real-life-vulnerabilities-statistics.html Statistics]
 
* Softtek
 
* Softtek
* TrustWave
+
* TrustWave Spiderlabs
* Veracode – Statistics
+
* Veracode – [http://info.veracode.com/rs/veracode/images/VERACODE-SOSS-V4.PDF Statistics]
* WhiteHat Security Inc. – Statistics
+
* WhiteHat Security – [https://www.whitehatsec.com/home/resource/stats.html Statistics]
 +
 
 +
If you would like to contribute your vulnerability statistics to the OWASP Top 10 project, please send your data to: dave.wichers@owasp.org. Please indicate if its OK for OWASP to publish this raw data. If you have already published this data, please provide us a link to the public posting.
  
 
=Suggested Enhancements=
 
=Suggested Enhancements=
Line 43: Line 45:
  
 
=FAQ=
 
=FAQ=
*
+
* TBD
*
+

Revision as of 11:10, 2 March 2013

Contents

About

The purpose of this page is to provide greater clarity on the development methodology of the OWASP Top 10. This page provides information on the data sources used as input to the top 10, the current development processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.

This is a wiki and editable by anyone with an OWASP account. Please constructively contribute to the conversation. Additional discussions should also take place within the OWASP top 10 mailing list.

Current Methodology

  1. Data sources accepted from a variety of companies (see Top_10_2013/ProjectMethodology#Current_Data_Sources sources)
  2. Data & professional opinion used to create initial Top 10 rankings and items
    • <dave> List involved individuals here
  3. Public comment period of RC1 from February through end of March
  4. All comments evaluated and top 10 updated appropriately by:
    • <dave> List involved individuals here
  5. All comments and responses posted publicly
  6. <dave> RC2 issued?
  7. Final version published

Current Prevalence Data Sources

  • Aspect Security
  • HP (Results for both Fortify and WebInspect)
  • Minded Security - Statistics
  • Softtek
  • TrustWave Spiderlabs
  • Veracode – Statistics
  • WhiteHat Security – Statistics

If you would like to contribute your vulnerability statistics to the OWASP Top 10 project, please send your data to: dave.wichers@owasp.org. Please indicate if its OK for OWASP to publish this raw data. If you have already published this data, please provide us a link to the public posting.

Suggested Enhancements

  • Use a public wiki or google issues to capture feedback - mailing lists are tough and things get lost
  • Establish a Top 10 panel to evaluate and make final decisions on inclusion & ranking
    • Not feasible for everyone to vote on every item
    • A diverse panel representing various verticals (vendor, enterprise, offense/defense, etc)
  • Additional data sources could be considered (please add links)
    • WASC Web Hacking Incident Database
    • Akamai State of the Internet Reports
    • Firehosts Web Application Attack Reports
    • Imperva's Web Application Attack Reports
  • Additional reports could be considered:
    • Annual Symantec Internet Threat Reports
    • Datalossdb
    • IBM XForce threat reports
  • Public forum to brainstorm and discuss key topics

FAQ

  • TBD