Revision as of 00:16, 28 February 2013

About

The purpose of this page is to provide greater clarity to the methodology of the OWASP Top 10 project. This page will provide information on the data and individuals involved in the top 10, the current processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.

This is a wiki and editable by anyone with an owasp account. Please constructively contribute to the conversation. Additional discussions should also take place within the OWASP top 10 mailing list.

Current Methodology

1. Data sources accepted from a variety of companies including:
   • <dave> List involved data sources here
2. Data & professional opinion used to create initial Top 10 rankings and items
   • <dave> List involved individuals here
3. Public comment period of RC1 from February through end of March
4. All comments evaluated and top 10 updated appropriately by:
   • <dave> List involved individuals here
5. All comments and responses posted publicly
6. <dave> RC2 issued?
7. Final version published

Current Data Sources

Suggested Enhancements

• Use a public wiki to capture feedback - mailing lists are tough and things get lost
• Establish a Top 10 panel to evaluate and make final decisions on inclusion & ranking
  • Not feasible for everyone to vote on every item
  • A diverse panel representing various verticals (vendor, enterprise, offense/defense, etc)
• Additional data sources could be considered (please add links)
  • WASC Web Hacking Incident Database
  • Akamai State of the Internet Reports
  • Firehosts Web Application Attack Reports
  • Imperva's Web Application Attack Reports
• Additional reports could be considered:
  • Annual Symantec Internet Threat Reports
  • Datalossdb
  • IBM XForce threat reports

FAQ