This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Working Session Top 10 2009

Jump to: navigation, search
Working Sessions Operational Rules - Please see here the general frame of rules.
Work Session Name OWASP Top 10 2009
Short Work Session Description Aims to provide a key awareness document for web application security.
Related Projects (if any) OWASP Top Ten Project
Email Contacts & Roles Chair
Dave Wichers
Jeff Williams
Mailing list
Subscription Page
  • Discuss current Top10 structure and objectives,
  • Identify which information sources will be considered for analysis, Eg:
    • MITRE
    • Compromise DB's (Attrition, WASC etc) and bias due to reporting
    • Anonomised penetration test results and the difficulty in obtaining
  • Define methodology to collect attacks statistics,
  • Define prioritisation approach
    • Agree weighting between current or emerging threats
Venue/Date&Time/Model Venue
OWASP EU Summit Portugal 2008
November 5 & 7, 2008
Time TBD
Discussion Model
"Participants + Attendees"
Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.
Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.

Potential Resources:

Statements, Initiatives or Decisions Proposed by Working Group Approved by OWASP Board
The sources of input for the 2009 Top 10 will be identified. After the Board Meeting - fill in here.
The ordering scheme for the Top 10 will be determined. After the Board Meeting - fill in here.
Discussion of whether the existing document structure should be maintained or adjusted. After the Board Meeting - fill in here.
Video After the Board Meeting - fill in here.

Working Session Participants

(Add your name by editing this table. On the right, just above this frame, you have the option to edit)

Name Company Notes & reason for participating, issues to be discussed/addressed
1 Paolo Perego Spike Reply As penetration tester it woud be great to me to participating in writing the new Top 10. As code reviewer and Orizon project leader it would be very interesting in scouting dynamic threats in order to add some dynamic feature to my tool.
2 David Campbell OWASP Denver
3 Robert Mann RBS / ABN AMRO
4 Troy Leach PCI Security Standards Council Technical Director
5 Eoin Keary Ernst & Young. Long time OWASP member (Code and Testing guides)
6 Matteo Meucci Minded Security I'd like to discuss about a new way to create the Top10 from the OWASP Community
7 Giorgio Fedon Minded Security
8 Andrea Cogliati OWASP Rochester, NY I volunteered as a technical writer
9 Christian Martorella S21sec Interested in participating on the creating the Top 10, share some ideas.
10 Nishi Kumar Systems Architect (FIS) Global Web Development Group Interested in participating and sharing ideas
11 Tom Brennan OWASP/WhiteHat Security Want to discuss some of the stats we can share with OWASP
12 Georg Hess OWASP Germany mainly to get some insight into the process

12 Arturo 'Buanzo' Busleiman Independent Expert Contributor for SANS TOP20 since 2005. want to contribute here.
12 Fabio Cerullo AIB Interested in participating on the creation of the Top 10, share some ideas.
12 S├ębastien Gioria OWASP France Interested in reviewing and give some Point of View frome France ans some pentesting made here. Also interessted to translate it as soon as possible for our France Market.
13 Marco Mella Independent