This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Issues Concerning The OWASP Top Ten 2013"
(Initial Draft) |
|||
| (4 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| + | = NOTE : THIS PAGE IS THE OPINION OF ONE INDIVIDUAL AND IS NOT AN OFFICIAL POSITION OF THE OWASP FOUNDATION = | ||
| + | |||
INTRODUCTION | INTRODUCTION | ||
The Terms of References for the "OWASP Top Ten Code of Ethics violations and project handbook." agenda item i.e. https://www.owasp.org/index.php/June_10,_2013 are specified below. | The Terms of References for the "OWASP Top Ten Code of Ethics violations and project handbook." agenda item i.e. https://www.owasp.org/index.php/June_10,_2013 are specified below. | ||
| − | There are several complaints made against Aspect Security, including http://lists.owasp.org/pipermail/owasp-leaders/2013-June/009432.html, http://lists.owasp.org/pipermail/owasp-topten/2013-May/date.html, etc | + | There are several complaints made against Aspect Security by OWASP Members, including http://lists.owasp.org/pipermail/owasp-leaders/2013-June/009432.html, http://lists.owasp.org/pipermail/owasp-topten/2013-May/date.html, etc |
Each numbered item has been grouped into themes based on headings below: | Each numbered item has been grouped into themes based on headings below: | ||
| Line 9: | Line 11: | ||
A9 AND SONATYPE | A9 AND SONATYPE | ||
| − | 1. The are several external complaints stating that the Sonatype/Aspect Security statistics are unscientific and bias and some examples are: | + | 1. The are several external complaints from OWASP members stating that the Sonatype/Aspect Security statistics are unscientific and bias and some examples are: |
* GWT i.e. https://groups.google.com/forum/?fromgroups#!topic/google-web-toolkit/Ezr6acdyZv0 | * GWT i.e. https://groups.google.com/forum/?fromgroups#!topic/google-web-toolkit/Ezr6acdyZv0 | ||
* SpringSource i.e. http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/. Furthermore, as the disclosure by Aspect Security occurred in January 2013 this conflicts with their statement that the statistics were sampled well before 2013. | * SpringSource i.e. http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/. Furthermore, as the disclosure by Aspect Security occurred in January 2013 this conflicts with their statement that the statistics were sampled well before 2013. | ||
| Line 25: | Line 27: | ||
OTHER SOURCES OF STATISTICS | OTHER SOURCES OF STATISTICS | ||
| − | 7. The statistics from both WhiteHat and HP (i.e. Fortify and WebInspect) require registration. Dave Wichers of Aspect Security has *not* published the promised alternate links i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html | + | 7. The statistics from both WhiteHat and HP (i.e. Fortify and WebInspect) require registration. <del>Dave Wichers of Aspect Security has *not* published the promised alternate links i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html</del> |
| − | 8. Statistics from either Trustwave, Softek or Minded Security were *not* analysed as this would have resulted in a second release of the RC or at least notification of the result i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001054.html and http://lists.owasp.org/pipermail/owasp-topten/2013-May/001080.html | + | 8. Statistics from either Trustwave<del>, Softek or</del> Minded Security were *not* analysed as this would have resulted in a second release of the RC or at least notification of the result i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001054.html and http://lists.owasp.org/pipermail/owasp-topten/2013-May/001080.html |
9. Aspect Security have not published their statistical analysis i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001096.html For comparison purposes, Minded Security were able to publish their effort within less than a month (28 January to 19 February). | 9. Aspect Security have not published their statistical analysis i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001096.html For comparison purposes, Minded Security were able to publish their effort within less than a month (28 January to 19 February). | ||
| Line 33: | Line 35: | ||
2010 RELEASE | 2010 RELEASE | ||
| − | 10. Softek are *not* listed as a sponsor within the pages of the deliverable as Aspect Security have taken this space for their own enlarged company logo i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001039.html | + | 10. Softek are *not* listed as a sponsor within the pages of the 2010 deliverable as Aspect Security have taken this space for their own enlarged company logo i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001039.html |
ABUSE FROM ARSHAN DABIRSIAGHI OF ASPECT SECURITY | ABUSE FROM ARSHAN DABIRSIAGHI OF ASPECT SECURITY | ||
11. The formal complaint is available from http://lists.owasp.org/pipermail/owasp-topten/2013-June/001099.html | 11. The formal complaint is available from http://lists.owasp.org/pipermail/owasp-topten/2013-June/001099.html | ||
Latest revision as of 20:03, 24 February 2014
NOTE : THIS PAGE IS THE OPINION OF ONE INDIVIDUAL AND IS NOT AN OFFICIAL POSITION OF THE OWASP FOUNDATION
INTRODUCTION
The Terms of References for the "OWASP Top Ten Code of Ethics violations and project handbook." agenda item i.e. https://www.owasp.org/index.php/June_10,_2013 are specified below.
There are several complaints made against Aspect Security by OWASP Members, including http://lists.owasp.org/pipermail/owasp-leaders/2013-June/009432.html, http://lists.owasp.org/pipermail/owasp-topten/2013-May/date.html, etc
Each numbered item has been grouped into themes based on headings below:
A9 AND SONATYPE
1. The are several external complaints from OWASP members stating that the Sonatype/Aspect Security statistics are unscientific and bias and some examples are:
- GWT i.e. https://groups.google.com/forum/?fromgroups#!topic/google-web-toolkit/Ezr6acdyZv0
- SpringSource i.e. http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/. Furthermore, as the disclosure by Aspect Security occurred in January 2013 this conflicts with their statement that the statistics were sampled well before 2013.
2. Aspect Security have promoted both AntiSammy and ESAPI in A1 or A3 which they also hold the Project Leadership of. However, their paid research for Sonatype states that their insecure releases are still being downloaded. Therefore, OWASP is placed inm until recently, unknown catastrophic residual risk as it appears that OWASP is hypocritical in not following their own recommendation i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001095.html
3. The residual risk of A9 will be accepted by the developer due to the significant cost with change i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-February/000844.html
4. A9 does not direct the reader to other related open source projects, such as https://github.com/gcmurphy/enforce-victims-rule, https://github.com/jeremylong/DependencyCheck, etc
5. The Press Release from Sonatype quotes Jeff Williams and was not approved under the OWASP Quotes process which he also championed as an OWASP Board Member. Furthermore, Aspect Security did not attempt to inform the OWASP Foundation once they were alerted to the publication of the Press Release i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001017.html
6. Aspect Security hosted a Chapter Meeting on 6 June to promote Sonatype and A9 before the actual 2013 release was accepted by the webappsec community i.e. http://www.meetup.com/OWASP-Baltimore-Chapter/events/119389612/
OTHER SOURCES OF STATISTICS
7. The statistics from both WhiteHat and HP (i.e. Fortify and WebInspect) require registration. Dave Wichers of Aspect Security has *not* published the promised alternate links i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html
8. Statistics from either Trustwave, Softek or Minded Security were *not* analysed as this would have resulted in a second release of the RC or at least notification of the result i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001054.html and http://lists.owasp.org/pipermail/owasp-topten/2013-May/001080.html
9. Aspect Security have not published their statistical analysis i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-June/001096.html For comparison purposes, Minded Security were able to publish their effort within less than a month (28 January to 19 February).
2010 RELEASE
10. Softek are *not* listed as a sponsor within the pages of the 2010 deliverable as Aspect Security have taken this space for their own enlarged company logo i.e. http://lists.owasp.org/pipermail/owasp-topten/2013-May/001039.html
ABUSE FROM ARSHAN DABIRSIAGHI OF ASPECT SECURITY
11. The formal complaint is available from http://lists.owasp.org/pipermail/owasp-topten/2013-June/001099.html
