Tuesday, August 29, 2017

Connector August 2017

OWASP Connector

FOLLOW US


           
  COMMUNICATIONS |  PROJECTS |  EVENTS |  CHAPTERS |  MEMBERSHIP  
Mon, August 28, 2017
OWASP CONNECTOR
Communications

Operations Update

The August Operations Update includes vital information about OWASP's infrastructure initiatives, project activity, and Chapters. Read it for an overview of what is happening in OWASP.


Improved Reimbursements System on Horizon for OWASP

OWASP’s growth over the past decade has been phenomenal! We we have grown from an idea to over 40,000 participating members, 2,000 paid or honorary members, and a staff of 6. As an organization we have prioritized support for volunteer-led priorities and experimentation in our dynamic community. This means that staff has created a lattice of support procedures for small, experimental activities that rapidly became a mainstay of OWASP. As our needs or size changed, these procedures either remained the same or underwent repeated limited revision.

Some of these processes were perfect for OWASP 5 or even 2 years ago, but now need to be made more robust to support their exponentially larger loads. During 2017 and 2018 the staff will be focusing on improving these basic processes to increase speed, transparency and ease for our volunteers

One example of this is the OWASP reimbursement system. Currently all reimbursements go through tata forms into a black hole until paid. The only way for a submitter to check on the progress of their reimbursement is by repeatedly emailing staff member. Furthermore, in many cases that staff member must repeatedly email accounting to get an update as well. Worse, previous, workflows were not identical across all OWASP activities. All of this led to confusion and inefficiency.

The OWASP Staff has created a new reimbursement system that will utilize Jira to make sure that all reimbursements go through the appropriate workflow and that the submitter can see where their reimbursement is in the process at any time. All reimbursement communications will be in the same place to facilitate swift repayment. This reimbursement system will be launched in the coming month and there are no changes to the current funding rules. You can read more about how it will work complete with examples on the OWASP Wiki.


2017 Global Board of Directors Election

The OWASP Board of Directors are seven hardworking volunteers elected to direct the financial and outreach goals of the organization. As a group the board members self organize into positions and guide the organization by defining our strategic goals. You can follow the election on the Board of Directors Election wiki page.

This year we have seven candidates running for the four open board positions. You can click on their names to read their bios and statements of purpose :

Greg Anderson Bil Corry Arthur Hicken Steve Kosten

Sherif Mansour Owen Pendlebury Milton Smith Chenxi Wang

Additionally, during this time we request that our members submit questions to be asked of our candidates for the board during an interview that will be recorded and shared prior to the election. The following are the winning questions from our community.

1. How do you make sure that the board's decisions won't be influenced by any personal favors or corruption?

2. OWASP does not have a great reputation internationally due what most people call "Politics", how do you intend to solve the "Politics" problem?

3. How do you intend to address bullying within OWASP? If someone is a repeat offender, will you enforce rules to expel or suspend offending parties?

4. How do you intend to empower the Compliance Committee? Currently all it has the power to do is mediate or make suggestions, it needs more than that.

5. What accomplishments related to OWASP Foundation's mission have you demonstrated in the last (5) years?

6. What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community?

7. What is your strategy to keep chapters active and motivated with OWASP and keep having meetings and organize local events?

Don’t forget that you must be a member by September 30th to vote for the OWASP Board of Directors. Get your Membership Today!


OWASP Volunteer Platform

We are ready to begin the design stage for building the OWASP Volunteer Platform and we need your help! The first step of the design phase is a set of surveys. OWASP Leaders will receive a survey to explore your needs as volunteer managers via email. The survey will be active until September 22, 2017. The wider OWASP community will be encouraged to follow a link to the Volunteer Portal Survey for Community Members which explores the needs of prospective volunteers in a volunteer management platform. You do not need to be a paid member of OWASP to take the survey. If you are both a Leader who manages volunteers and a volunteer elsewhere in OWASP you are encouraged to take both surveys.

Your input is invaluable and we thank you for your time.

https://www.surveymonkey.com/r/OWASP-VolunteerSurvey-Communitymemeber

(estimated time to take: 4 min.)


OWASP in the News

 


Projects

OWASP Top 10 2017 Project Update

The OWASP Top 10 is the most heavily referenced, most heavily used, and most heavily downloaded document at OWASP. Therefore, it rightfully has a greater level of scrutiny and a greater level of review as befitting a Flagship project.

Under new leadership, the project has issued a second call data and survey which will end on September 18th. You can read more about it on the Top 10 Blog post at the OWASP Blog.


OWASP Project Reviews @ APPSEC USA 2017

Once more OWASP is reviewing projects who wish to graduate from Incubator to Lab to Flagship at this workshop. We are also performing some more detail health checks. The purpose of these assessments is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document. The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro. Next, the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results. Here's a Sample of a Project Assessment to give you an idea what these look like.

We are still looking for more volunteers to help in this mission. Sign Up!

OWASP Project Reviews @ APPSEC USA 2017 - Funding Incentive is Available!

Please contact Claudia Aviles Casanovas and Matt Tesauro with any questions.




Events

Utilizing DevSecOps to Its Fullest Potential at AppSec USA

DevSecOps will be one of the most discussed topics at this year’s AppSec conference for obvious reasons. It’s one of the fundamental building blocks of security, development, and organizational growth. We’ll have plenty of DevSecOps talks and workshops to keep you busy, but here are a few of this year’s highlights:

Overcoming Mobile App Security Challenges with DevOps (Thursday, 9/21 @ 11:30am): Solution Engineer for NowSecure, Brian Lawrence examines some of the most common reasons companies struggle without consistent DevOps programs. He’ll look at challenges such as technology fragmentation, how mobile apps expose enterprise architecture, the unending updates cycle, and more before framing some successful DevSecOps processes to mitigate these issues.

Making Vulnerability Management Less Painful with OWASP DefectDojo (Thursday, 9/21 @ 1:30pm): Let Greg Anderson, Senior Security Engineer for Pearson, take some of the pain and tedium out of vulnerability management by introducing you to DefectDojo. He’ll demo this enterprise-level tool’s ability to automate, report, scan, and service vulnerabilities to make your -and your engineers’ - lives easier.

WAFs FTW! A Modern DevOps Approach to Security Testing Your WAF (Thursday, 9/21 @ 3:30pm): In this lecture Zack Allen, Threat Operations Manager at ZeroFox, examines a framework to test arbitrary Web Application Firewall implementations and explores rapid prototyping of attack payloads without relying on developer support to verify WAF defenses and make this tool more valuable than ever.

Core Rule Set for the Masses (Friday, 9/22 @ 11:30pm): Although ModSecurity - OWASP’s very own web application firewall - is widely considered an exceptional security tool, maintaining and managing the system can be tedious, time consuming and difficult. OWASP volunteer Tin Zaw and Robert Whitely, Security Solutions Architect for Verizon Digital Media Services, work together to share some benefits of enhancing and fine tuning to spend less time managing and more time enjoying ModSecurity.

How to Stop Worrying About Application Container Security (Friday, 9/22 @ 2:30pm): Information Security Engineer for the US Citizenship and Immigration Services (USCIS), Brian Andrzejewski challenges existing security models by harnessing containers to deploy applications securely and swiftly. He’ll use his experience at USCIS as a case study to frame this innovative concept and discuss the merits of building a container ecosystem.

Volunteer spots for AppSec USA now open!

OWASP has volunteer positions available for AppSec USA. If you are interested, please take a moment to choose your shifts through this signup.com form.

If you are volunteering in exchange for your ticket you will receive an email explaining how to register for the conference. If you are planning on doing this, please remember that you will need to sign up for 8 hours worth of shifts and OWASP does not cover travel or accommodations.

Remember to consult the Conference Schedule to make sure that you do not choose a shift that conflicts with your preferred talks.

Volunteer Orientation is on-site Monday evening. You will receive an email with the exact time and location closer to the event. If you can't make it, please let us know!


OWASP World Tour

This year the strategic goal of OWASP is to raise awareness and spread application security knowledge world-wide by hosting a training world tour. The 2017 world tour will have three, free mass application security training events. Each one-day AppSec training course will teach 500 developers, software testers and entry level application security professionals core security topics.

Our goal is that each training will combine general security principles such as the principle of least privilege, using secure defaults, reducing attack surface with AppSec specific topics such as parameterized queries to prevent SQLi and input validation and encoding. We are also interested in teaching how OWASP Projects can assist in developing secure software.

As part of the OWASP World Tour we are inviting all professional trainers to apply to the Call for Training for your opportunity to train in Tokyo, Boston, or Tel Aviv. Training will close in this month, so apply today!

If you are interested or know someone who is interested in attending the OWASP World Tour near you, please keep an eye on the OWASP Blog or OWASP World Tour Wiki Page for registration.


5th Annual AppSec Bucharest

OWASP Bucharest team is happy to announce the OWASP Bucharest AppSec Conference 2017 at Hotel Caro; a three day security and hacking conference dedicated to the application security. The event will be in English, with cutting-edge topics presented by renowned security professionals.

The CfP is open through September 9th as is the Call for Training.

Oct 11th and 12th are dedicated to trainings and on the 13th talks and workshops will run in parallel. We will also have CtF with a grand prize of 1024 Euros. Conference talks are free however, you need to register.

More information, including the current training schedule available on the wiki.

Upcoming Events

Regional and Local Events

Training Events

  • OWASP Cyber Security Explorer — August 10–11, 2017; Amity University, Rajasthan, India
  • OWASP Training Day 2017  — October 4, 2017; Portland, OR, USA
  • OWASP World Tour  — September 30, 2017; Tokyo, Japan,
  • OWASP World Tour  — October 9, 2017; Boston University, Boston, MA, USA
  • OWASP World Tour  —  October 17th, 2017; Tel Aviv, Israel

Developer Summits

Partner and Promotional Events


Chapters

OWASP Go Live?

We are looking Chapters interested in participating in the alpha test of the OWASP Discourse system. You can read more about the requirements on the OWASP Discourse roll out plan. If interested please fill out this form of interest.



Membership

June 2017 Corporate Members


August 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.



Contributor Corporate Members


Code Dx is committed to reducing barriers to effective application security. Our automated application vulnerability correlation and management tools help find and fix insecure code faster, with less effort and a smaller team. Focus your precious resources on developing valuable new features, and ship secure code faster and more often.
For more information, please visit https://codedx.com/



Founded in 1975, Information Builders continues to deliver state-of-the-art technology that is transforming business in all commercial industries, government, and education. We remain one the largest independent, privately held companies in the software industry. Headquartered above Madison Square Garden in New York, Information Builders operates in more than 60 global locations and has built an active customer base of tens of thousands of major installations at the world's leading organizations. Information Builders is not only a major software supplier to our customers, but also a major provider to the leading software vendors in the industry including HP, IBM, Oracle, SAP, Teradata, and many others. In addition to our commitment to superior software engineering, we are equally proud of our people. Some of the most talented and creative professionals in the industry work at Information Builders and are passionate about what they do. In fact, the professionalism and tenure of our employees is often cited as a major differentiator by our customers. Our reputation for customer service has garnered us the highest honors from “CRM” magazine, the SSPA, and the American Business Awards. Our products and services have received top recognition from independent analyst research firms including Gartner, Forrester, Ventana Research, BARC, Butler, Bloor, and The Data Warehouse Institute (TDWI). Most importantly, our customers have received the most information technology and business awards for their accomplishments. More than 50 of our customers have had their information systems inducted into the Smithsonian Institute for superior information technology achievement through the Computerworld Honors Program. http://www.informationbuilders.com/about_us






Want your company name here? 
Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia, our Membership & Business Liaison today!  



Thank you to all of our Premier and Contributor Corporate Members for your support!
 

The OWASP Foundation, 1200C Agora Drive #232, Bel Air, Maryland, 21014, USA

Thursday, August 24, 2017

August 2017 Corporate Members


August 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.



Contributor Corporate Members


Code Dx is committed to reducing barriers to effective application security. Our automated application vulnerability correlation and management tools help find and fix insecure code faster, with less effort and a smaller team. Focus your precious resources on developing valuable new features, and ship secure code faster and more often.
For more information, please visit https://codedx.com/



Founded in 1975, Information Builders continues to deliver state-of-the-art technology that is transforming business in all commercial industries, government, and education. We remain one the largest independent, privately held companies in the software industry. Headquartered above Madison Square Garden in New York, Information Builders operates in more than 60 global locations and has built an active customer base of tens of thousands of major installations at the world's leading organizations. Information Builders is not only a major software supplier to our customers, but also a major provider to the leading software vendors in the industry including HP, IBM, Oracle, SAP, Teradata, and many others. In addition to our commitment to superior software engineering, we are equally proud of our people. Some of the most talented and creative professionals in the industry work at Information Builders and are passionate about what they do. In fact, the professionalism and tenure of our employees is often cited as a major differentiator by our customers. Our reputation for customer service has garnered us the highest honors from “CRM” magazine, the SSPA, and the American Business Awards. Our products and services have received top recognition from independent analyst research firms including Gartner, Forrester, Ventana Research, BARC, Butler, Bloor, and The Data Warehouse Institute (TDWI). Most importantly, our customers have received the most information technology and business awards for their accomplishments. More than 50 of our customers have had their information systems inducted into the Smithsonian Institute for superior information technology achievement through the Computerworld Honors Program. http://www.informationbuilders.com/about_us




Want your company name here? 
Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia, our Membership & Business Liaison today!  



Thank you to all of our Premier and Contributor Corporate Members for your support!

Monday, August 21, 2017

OWASP Project Reviews @ APPSEC USA 2017

Once more OWASP is reviewing projects who wish to graduate from Incubator to Lab to Flagship at this workshop.  We are also performing some more detail health checks.  The purpose of these assessments is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document.  The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro.  Next, the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results. Here's a Sample of a Project Assessment to give you an idea what these look like.

We are still looking for more volunteers to help in this mission. Sign up!

OWASP Project Reviews @ APPSEC USA 2017 - Funding Incentive is Available!


Please contact Claudia Aviles Casanovas and Matt Tesauro with any questions.

Thursday, August 10, 2017

OWASP World Tour



This year the strategic goal of OWASP is to raise awareness and spread application security knowledge world-wide by hosting a training world tour.  The 2017 world tour will have three, free mass application security training events.  Each one-day AppSec training course will teach 500 developers, software testers and entry level application security professionals core security topics. 

Our goal is that each training will combine general security principles such as the principle of least privilege, using secure defaults, reducing attack surface with AppSec specific topics such as parameterized queries to prevent SQLi and input validation and encoding.  We are also interested in teaching how OWASP Projects can assist in developing secure software. 

As part of the OWASP World Tour we are inviting all professional trainers to apply to the Call for Training for your opportunity to train in Tokyo, Boston, or Tel Aviv.  Training will close in this month, so apply today!  

If you are interested or know someone who is interested in attending the OWASP World Tour near you, please keep an eye on the OWASP Blog or OWASP World Tour Wiki Page for registration.  

Wednesday, August 9, 2017

OWASP Board of Directors Candidates and Questions

The OWASP Board of Directors are seven hardworking volunteers elected to direct the financial and outreach goals of the organization.  As a group the board members self organize into positions and guide the organization by defining our strategic goals.  You can follow the election on the Board of Directors Election wiki page.

This year we have seven candidates running for the four open board positions.  You can click on their names to read their bios and statements of purpose :






Additionally, during this time we request that our members submit questions to be asked of our candidates for the board during an interview that will be recorded and shared prior to the election.  The following are the winning questions from our community.

1. How do you make sure that the board's decisions won't be influenced by any personal favors or corruption?
2. OWASP does not have a great reputation internationally due what most people call "Politics", how do you intend to solve the "Politics" problem?
3. How do you intend to address bullying within OWASP? If someone is a repeat offender, will you enforce rules to expel or suspend offending parties?
4. How do you intend to empower the Compliance Committee? Currently all it has the power to do is mediate or make suggestions, it needs more than that.
5. What accomplishments related to OWASP Foundation's mission have you demonstrated in the last (5) years?
6. What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community?
7. What is your strategy to keep chapters active and motivated with OWASP and keep having meetings and organize local events?

Don’t forget that you must be a member by September 30th to vote for the OWASP Board of Directors.  Get your Membership Today!

Monday, August 7, 2017

OWASP Operations Update for August 2017

Welcome to the operations update for August 2017, the ongoing series of updates on what's happening at the OWASP Foundation.  Last month's post is available here.

In another departure from our normal format, I'd like to have a bit of a preamble to set expetations for the community.

With the staff reduced by 20% from 8 down to 6 FTE's, things are going to take longer then anyone would like.  Know that the OWASP staff is doing the best they can under difficult circumstances.  We currently do not have an ETA on any new hires at OWASP.  However, to offset the workload from Kate and Alison's departure (detailed last month), OWASP has:

  • contracted out the accounting functions Alison was doing.  She was doing more then just accounting but her former accounting functions have been covered.  We've had 1 month of transition and things are going fairly well.  We're still uncovering things that Alison did that haven't been handed off yet but we're nearly there.
  • started migrating some of our oldest and least user-friendly forms/processes from Google Docs 'apps' to Jira Service Desk.  The first of these is the funds reimbursement form which should be live by mid-August with more to come over the next couple of months.
So, while we've got items in motion to help streamline things going forward, those items haven't started to pay dividends yet.  We want the community to know that the staff feel your pain with some of the inevitable delays that will happen with a smaller staff.  We're doing what we can to build up the least amount of tech and operational dept as we go forward.

OWASP IT Infrastructure Hosting - Modernizing and migrating the OWASP infrastructure
  • Remaining hosts at Rackspace: OWASP Wiki, Mailman server, Virtual-host server which provides redirects and static content
    • These are on hold until staff is back to full strength
  • For the current status details, see the June 2017 update.
The Website Reboot - aka TWR - a major effort to update and modernize OWASP's web presence
  • Phase 1 is complete
    • Note: Due to lack of staff availability, the wiki is running the legacy LTS release not latest stable so Phase 1 will need to be repeated in future when this comes off hold.
  • Phase 2, 3 and 4 are in process
  • These are on hold until staff is back to full strength.
  • For the current status details, see the June 2017 update.
The OWASP Communication Plan 
  • Discourse as a replacement for Mailman
    • On a significantly reduced roll-out plan until staff is back to full strength
    • For the roll-out plan, see the Community section below.
  • Beta program for the Foundation's Global Meetup account continues
OWASP 2017 Strategic Goal aka The OWASP World Tour 
  • TLDR: Host 4 trainings worldwide of ~500 attendees geared toward developers and entry-level security professionals - further details on the wiki.
  • 4 locations reduced to 3 due to staff departures
    • Tokyo Bootcamp - September 30, 2017
    • Boston BOAST - October 9, 2017
    • Tel Aviv DevSec - October 17, 2017
  • Call for Trainers anticipated launch is mid-August
Association Management System (AMS) Upgrade 
  • Completed as of August 1st, 2017
Projects 
  • AppSec USA 2017
    • Final details and marketing plan in full force
    • Sponsor Expo Location Selection
      • Those sponsors who have paid in full have chosen their expo locations
      • Those who have not yet paid have not chosen their expo location and have not received their discount codes
  • AppSec EU 2018
    • Finalizing Gantt Chart
    • Conference budget built out
    • Multiple RFPs out for bid
  • AppSec APAC 2018 - proposal under review
Membership 
  • 55 Corporate Members
    • $185,000 (46% of yearly goal)
  • 2017 WASPY Awards
    • Nominees notified and winners posted plus announced to the community
    • Prepping for Award Ceremony at AppSec USA 2017
  • 2017 Global Board of Directors Elections
    • Candidates vetted and notified if they are eligible or not
    • Candidates will be posted the week of August 7th
    • Scheduling candidate group interviews to start August 25th to September 1st
  • Developer Summit at AppSec USA 2017
    • 3 trainers confirmed (1 full day presentation and two 1/2 day presentations)
  • BlackHat USA 2017
    • Kelly and Dawn represented the OWASP Foundation at our booth during the event along with several community volunteers
Community
As always, the OWASP Staff are here to make the OWASP community even stronger.  If you have a question, concern or need something, please let us know using the 'Contact Us' form.  Also, feel free to attend, suggest or otherwise engage with the OWASP Foundation further at the August 9th Board Meeting.

Your friendly remaining neighborhood OWASP staff:
    Kelly, Laura, Claudia, Tiffany, Dawn and Matt

AppSec USA Speakers



A Senior Application Security Engineer for Verizon, the Director of Software Engineering for Capital One, and a Senior Cloud Security Engineer at Netflix walk into a bar …
No, this isn’t the start of a bad InfoSec joke. It’s a preview of the speakers you can expect to hear from at OWASP’s AppSecUSA Conference in Orlando, Florida from September 19 – 22, 2017. In addition to individual breakout sessions featuring security and application, and information technology leaders from companies such as Citrix Systems, Slack, PayPal, and USAA, you’ll also have direct access to daily keynote addresses showcasing the latest security ideas and technology advances.
AppSecUSA’s opening keynote kicks off with a not-to-be-missed session from educator and author Jim Manico and Cigital CTO John Steven. Jim will weave topics from his upcoming book from McGraw-Hill and Oracle-Press about Java web security with John’s expertise on threat modeling and architecture risk analysis to frame up today’s landscape in secure development and where the industry is going.
On day two, Runa Sandvik, Director of Information Security at The New York Times, delves deeper into how application and information security impacts a variety of industries, including journalism and the general population’s understanding of the news. And if that wasn’t enough, Jen Ellis, VP of Community and Public Affairs for Rapid7 , will wrap up the conference with her perspectives on how technology specialists and government agencies can work better together for a more secure information infrastructure in our world today.
AppSecUSA’s speakers tackle hot topics from government security to threat management, and from DevSecOps to cookie security and supply chain management across a wide array of industries. For a full list of announced speakers click here to learn more and register for AppSecUSA today: https://appsecusa2017.sched.com/directory/speakers. This is one lineup you don’t want to miss!
AppSecUSA’s speakers tackle hot topics from government security to threat management, and from DevSecOps to cookie security and supply chain management across a wide array of industries. For a full list of announced speakers click here to learn more and register for AppSecUSA today: https://appsecusa2017.sched.com/directory/speakers. This is one lineup you don’t want to miss!






Wednesday, August 2, 2017

OWASP Top 10 2017 Project Update

The OWASP Top 10 is the most heavily referenced, most heavily used, and most heavily downloaded document at OWASP. Therefore, it rightfully has a greater level of scrutiny and a greater level of review as befitting a Flagship project.


The previous Top 10 leaders have passed the baton for this project on to a new team and we will strive to address the feedback that has been provided over the past few months. We have discussed as a team and at the OWASP Summit what steps must be taken and what changes must be made to the OWASP Top 10.


A summary of changes is listed below, please read further to understand more of the why behind them:
  • The Top 10 will focus on Vulnerability Categories.
  • Feedback on the mailing list has been moved to the Issues List (https://github.com/OWASP/Top10/issues) in GitHub, please continue to contribute feedback there.
  • The content of the document will be extracted to provide easier translations.
  • Scoring for Top 10 entries is intended to be based on Common Weakness Scoring System (CWSS)
  • For the 2017 Edition, 8 of 10 vulnerabilities will be selected from data submitted via the call for data and 2 of 10 will be selected from an industry-ranked survey.
  • A ranked survey (https://goo.gl/forms/ltbKrdYrp4Qdl7Df2) is now available for industry professionals to select two new vulnerability categories for inclusion in the Top 10 2017. The deadline for the survey is 30 August, 2017.
  • The call for data (https://goo.gl/forms/tLgyvK9O74r7wMkt2) is now reopened to allow for additional data to be collected for analysis. The new deadline for the extended data call is 18 September, 2017.
  • The Top 10 2017 RC2 will released for review and feedback 9 October, 2017.
  • The final release of the Top 10 2017 is targeted for 18 November, 2017.


OWASP Top10 Timeline-v2.png


The OWASP Top 10 has always been about missing controls, flawed controls, or working controls that haven’t been used, which when present are commonly called vulnerabilities. We have traditionally linked the OWASP Top 10 into the Common Weakness Enumeration (CWE) list maintained by NIST / MITRE. We will continue to align with CWEs and utilize the CWSS scoring system to help provide an industry standard measurement.
For the Top 10 2017, we will be focusing on vulnerability categories. These categories will be mapped to one or more CWEs where possible. The scoring system for the Top 10 will be updated to leverage the CWSS as much as feasible. Like the Common Vulnerability Scoring System (CVSS) for specific Common Vulnerabilities & Exposures (CVEs), we are intending to use CWSS for vulnerability categories. In the scenario where there are multiple CWEs, we will use the high-water mark; if there is a vulnerability category without a matching CWE, we will do what we can to align a CWSS score.
Although the OWASP Top 10 is partially data-driven, there is also a need to be forward looking. At the OWASP Summit we agreed that for the 2017 Edition, eight of the Top 10 will be data-driven from the public call for data and two of the Top 10 will be forward looking and driven from a survey of industry professionals. The OWASP Top 10 will clearly identify which items are forward looking: we will use the CWSS score of these items (if a CWE for the issue exists) or our best judgement on where the issue will be ranked in the Top 10.


The extended call for data can be accessed here: https://goo.gl/forms/tLgyvK9O74r7wMkt2
The two items that are not data-driven will be supported by a qualitative survey. The survey is comprised of vulnerability categories that were identified as “on the cusp,” mailing list feedback, and previous call for data feedback. Respondents should rank the top four most important vulnerability categories from their knowledge and experience. The two vulnerability categories with the total highest ranking will be included in the Top 10 2017. The information will also help us develop a plan to better structure the call for data for the OWASP Top 10 2020.


The survey can be accessed here: https://goo.gl/forms/ltbKrdYrp4Qdl7Df2


Every single issue in the OWASP Top 10 should have a direct cause: either one or more missing or ineffective controls, or not using an in place control. Every issue should be precise in its language and view (as in not intermingling the terms “weakness,” “vulnerability,” “threat,” “risk,” or “defect”) so each issue can be theoretically testable. This will help us make a stronger and more defensible list of included items.
We aim to review and resolve ontological concerns, such as including issues that are not like the others. This means that in some circumstances, there should be a view from the Developer perspective (documented by the OWASP Proactive Controls) and a view for the Defending Blue Team (documented by the currently non-existent OWASP Defensive Controls).
Every issue should contain clear and effective advice on remediation, deterrence, delay and detection that can be adopted by any development team - no matter how small or how large. As the OWASP Top 10 are important vulnerability categories, we should strive to make our advice easy to follow and easily translatable into other languages.
From a methodology point of view, we are looking at taking lessons learned from 2017 and coming up with a better process for the OWASP Top 10 in 2020. We would like to coordinate with other teams to provide a staggered release of the other OWASP Top 10 efforts with sufficient time between each release to allow the industry to upgrade and adopt in a practical way.
Lastly, we are opening up the text to provide history and traceability. We need to ensure that all of the issues documented within any of the various Flagship projects, but particularly the OWASP Top 10, can be satisfied by developers and devops engineers without recourse to paid tools or services. There is value in the use of paid services and tools, but as an open (as in free and in liberty) organization, the OWASP Top 10 should have a low barrier of entry, and high effectiveness of any suggested remediations.
Thank you, and we look forward to working with you on the OWASP Top 10.


OWASP Top 10 Project Leaders
Andrew van der Stock
Neil Smithline
Torsten Gigler
Data Analyst

Brian Glas