Issues Concerning The OWASP Top Ten 2013 - Revision history

Jmanico at 20:03, 24 February 2014

2014-02-24T20:03:59Z

Jmanico at 20:03, 24 February 2014

2014-02-24T20:03:34Z

Cmlh: http://lists.owasp.org/pipermail/owasp-topten/2013-June/001108.html

2013-06-10T01:00:24Z

http://lists.owasp.org/pipermail/owasp-topten/2013-June/001108.html

Neil Smithline at 18:59, 9 June 2013

2013-06-09T18:59:23Z

Neil Smithline: moved OWASP Top Ten 2013 to Issues Concerning The OWASP Top Ten 2013

2013-06-09T18:51:01Z

moved OWASP Top Ten 2013 to Issues Concerning The OWASP Top Ten 2013

Cmlh: Initial Draft

2013-06-09T13:57:39Z

Initial Draft

New page

INTRODUCTION

The Terms of References for the "OWASP Top Ten Code of Ethics violations and project handbook." agenda item i.e. https://www.owasp.org/index.php/June_10,_2013 are specified below.

There are several complaints made against Aspect Security, including http://lists.owasp.org/pipermail/owasp-leaders/2013-June/009432.html, http://lists.owasp.org/pipermail/owasp-topten/2013-May/date.html, etc

Each numbered item has been grouped into themes based on headings below:

A9 AND SONATYPE

1. The are several external complaints stating that the Sonatype/Aspect Security statistics are unscientific and bias and some examples are:
* GWT i.e. https://groups.google.com/forum/?fromgroups#!topic/google-web-toolkit/Ezr6acdyZv0
* SpringSource i.e. http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/. Furthermore, as the disclosure by Aspect Security occurred in January 2013 this conflicts with their statement that the statistics were sampled well before 2013.

2. Aspect Security have promoted both AntiSammy and ESAPI in A1 or A3 which they also hold the Project Leadership of. However, their paid research for Sonatype states that their insecure releases are still being downloaded. Therefore, OWASP is placed inm until recently, unknown catastrophic residual risk as it appears that OWASP is hypocritical in not following their own recommendation i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001095.html

3. The residual risk of A9 will be accepted by the developer due to the significant cost with change i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-February/000844.html

4. A9 does not direct the reader to other related open source projects, such as https://github.com/gcmurphy/enforce-victims-rule, https://github.com/jeremylong/DependencyCheck, etc

5. The Press Release from Sonatype quotes Jeff Williams and was not approved under the OWASP Quotes process which he also championed as an OWASP Board Member. Furthermore, Aspect Security did not attempt to inform the OWASP Foundation once they were alerted to the publication of the Press Release i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001017.html

6. Aspect Security hosted a Chapter Meeting on 6 June to promote Sonatype and A9 before the actual 2013 release was accepted by the webappsec community i.e. http://www.meetup.com/OWASP-Baltimore-Chapter/events/119389612/

OTHER SOURCES OF STATISTICS

7. The statistics from both WhiteHat and HP (i.e. Fortify and WebInspect) require registration. Dave Wichers of Aspect Security has *not* published the promised alternate links i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html

8. Statistics from either Trustwave, Softek or Minded Security were *not* analysed as this would have resulted in a second release of the RC or at least notification of the result i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001054.html and http://lists.owasp.org/pipermail/owasp-topten/2013-May/001080.html

9. Aspect Security have not published their statistical analysis i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001096.html For comparison purposes, Minded Security were able to publish their effort within less than a month (28 January to 19 February).

2010 RELEASE

10. Softek are *not* listed as a sponsor within the pages of the deliverable as Aspect Security have taken this space for their own enlarged company logo i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001039.html

ABUSE FROM ARSHAN DABIRSIAGHI OF ASPECT SECURITY

11. The formal complaint is available from http://lists.owasp.org/pipermail/owasp-topten/2013-June/001099.html

← Older revision		Revision as of 20:03, 24 February 2014
Line 1:		Line 1:
−	= NOTE : THIS ~~ARTICLE~~ IS THE OPINION OF ONE INDIVIDUAL AND IS NOT AN OFFICIAL POSITION BY THE OWASP FOUNDATION =	+	= NOTE : THIS PAGE IS THE OPINION OF ONE INDIVIDUAL AND IS NOT AN OFFICIAL POSITION OF THE OWASP FOUNDATION =

	INTRODUCTION		INTRODUCTION

← Older revision		Revision as of 20:03, 24 February 2014
Line 1:		Line 1:
		+	= NOTE : THIS ARTICLE IS THE OPINION OF ONE INDIVIDUAL AND IS NOT AN OFFICIAL POSITION BY THE OWASP FOUNDATION =
		+
	INTRODUCTION		INTRODUCTION

← Older revision		Revision as of 18:59, 9 June 2013
Line 1:		Line 1:
		+	''[Note that the contents of this page are representative of the authors' opinions and not necessarily of OWASP or its members.]''
		+
	INTRODUCTION		INTRODUCTION

@@ Line 1: / Line 1: @@
 INTRODUCTION
 The Terms of References for the "OWASP Top Ten Code of Ethics violations and project handbook." agenda item i.e. https://www.owasp.org/index.php/June_10,_2013 are specified below.
-There are several complaints made against Aspect Security, including http://lists.owasp.org/pipermail/owasp-leaders/2013-June/009432.html, http://lists.owasp.org/pipermail/owasp-topten/2013-May/date.html, etc
+There are several complaints made against Aspect Security by OWASP Members, including http://lists.owasp.org/pipermail/owasp-leaders/2013-June/009432.html, http://lists.owasp.org/pipermail/owasp-topten/2013-May/date.html, etc
 Each numbered item has been grouped into themes based on headings below:
@@ Line 11: / Line 9: @@
 A9 AND SONATYPE
-. The are several external complaints stating that the Sonatype/Aspect Security statistics are unscientific and bias and some examples are:
+. The are several external complaints from OWASP members stating that the Sonatype/Aspect Security statistics are unscientific and bias and some examples are:
 * GWT i.e. https://groups.google.com/forum/?fromgroups#!topic/google-web-toolkit/Ezr6acdyZv0
 * SpringSource i.e. http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/.  Furthermore, as the disclosure by Aspect Security occurred in January 2013 this conflicts with their statement that the statistics were sampled well before 2013.
@@ Line 27: / Line 25: @@
 OTHER SOURCES OF STATISTICS
-. The statistics from both WhiteHat and HP (i.e. Fortify and WebInspect) require registration.  Dave Wichers of Aspect Security has *not* published the promised alternate links i.e.  http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html
+. The statistics from both WhiteHat and HP (i.e. Fortify and WebInspect) require registration.  <del>Dave Wichers of Aspect Security has *not* published the promised alternate links i.e.  http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html</del>
-. Statistics from either Trustwave, Softek or Minded Security were *not* analysed as this would have resulted in a second release of the RC or at least notification of the result i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001054.html and http://lists.owasp.org/pipermail/owasp-topten/2013-May/001080.html
+. Statistics from either Trustwave<del>, Softek or</del> Minded Security were *not* analysed as this would have resulted in a second release of the RC or at least notification of the result i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001054.html and http://lists.owasp.org/pipermail/owasp-topten/2013-May/001080.html
 . Aspect Security have not published their statistical analysis i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001096.html  For comparison purposes, Minded Security were able to publish their effort within less than a month (28 January to 19 February).
@@ Line 35: / Line 33: @@
 RELEASE
-. Softek are *not* listed as a sponsor within the pages of the deliverable as Aspect Security have taken this space for their own enlarged company logo i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001039.html
+. Softek are *not* listed as a sponsor within the pages of the 2010 deliverable as Aspect Security have taken this space for their own enlarged company logo i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001039.html
 ABUSE FROM ARSHAN DABIRSIAGHI OF ASPECT SECURITY
 . The formal complaint is available from http://lists.owasp.org/pipermail/owasp-topten/2013-June/001099.html

← Older revision	Revision as of 18:51, 9 June 2013
(No difference)