Methodology for top tens

28 views
Skip to first unread message

Felipe Zipitria

unread,
Jul 13, 2022, 10:31:52 AM7/13/22
to lea...@owasp.org

Hello leaders,

Taking a look at the general list of "Top 10" we have, and a search on the OWASP site there is (with different levels of maturity):

- OWASP Top 10 (of course)

- OWASP Mobile Top 10

- OWASP API Security Project

- OWASP IoT Top 10

- OWASP Cloud-Native Application Security Top 10

- OWASP Serverless Top 10

- OWASP Kubernetes Top Ten

- OWASP Top 10 Privacy Risks

- OWASP Docker Top 10

- OWASP Desktop App Security Top 10

- OWASP Data Security Top 10

- OWASP Machine Learning Security Top 10

- OWASP Top 10 Card Game

- OWASP Top 10 Client-Side Security Risks

- OWASP Top 10 Low-Code/No-Code Security Risks

- ... (maybe more?)

Disclaimer: I'm not saying we don't need them, nor they are not important. Also I'm not implying that the work and effort on the respective leaders is not important or was done wrong.

But I have questions for the broader OWASP:

- What makes something a Top 10?

- Where is the data coming from for stating it?

- What is the methodology followed on each case?

- Do we need one common methodology?

I didn't review all of them, but I know the OWASP Top Ten declares its methodology and where the data comes from: https://owasp.org/www-project-top-ten/#div-data_2020

And lastly: why is the data not public? Is it sensitive? Making the data public might help removing potential bias, and everything is transparent.

If this is not the right place, we can take it to Slack or somewhere else.

Regards,

Felipe Zipitria.

Co-Leader OWASP Core Rule Set.


Harold Blankenship

unread,
Jul 18, 2022, 5:19:43 PM7/18/22
to Felipe Zipitria, lea...@owasp.org
These are great questions, Felipe. I have been trying to curtail the use of 'Top 10' anything but there isn't a good hard and fast rule when it comes to 'Top 10'.

I, personally, would like to prune the top 10 namespace as I feel it is getting diluted. What makes something a top 10? How are '10' things chosen instead of, maybe 8 or 12? Should every top 10 undergo the same rigor with regard to data collection and review that the OWASP Top Ten does?
In general, I think if a project comes forward as 'Top 10 XYZ Buzzword' then why do we just not call it 'XYZ Buzzword'? The OWASP Top Ten doesn't need clarification regarding the XYZ Buzzword because it IS the Top Ten for OWASP. Is the use of Top Ten or Top 10 only for name recognition and search engine hooplah?

This topic is one that could conceivably be handled via the OWASP Project Committee but I have yet to put it on the agenda there. Leader and community feedback would be great. I would even like to hear from some of the Not-The-OWASP-Top-Ten Top 10 projects out there as well.

Harold L. Blankenship

OWASP Foundation

Director of Technology and Projects


OWASP® and Open Web Application Security Project®  
Registered trademarks of the OWASP Foundation, Inc


--
You received this message because you are subscribed to the Google Groups "Leaders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to leaders+u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/leaders/1aee85e2-e3cb-4a9b-5c13-9d5294131017%40owasp.org.

Steve Springett

unread,
Jul 18, 2022, 11:28:24 PM7/18/22
to Felipe Zipitria, Harold Blankenship, lea...@owasp.org
The OWASP Top 10 is one of the most recognized projects in the entire security industry. As such, the reputation of anything with OWASP and Top 10 in the name should be protected as much as the OWASP brand itself.

The challenge becomes how does a Top 10 X project achieve the level of quality that we expect while moving through the project maturity levels? It's nearly impossible to do.

The project committee could theoretically take this on.

know marketing and brand perception hasn’t been a strong point for OWASP historically, but input from this perspective would be really useful.

— Steve

Bjoern Kimminich

unread,
Jul 19, 2022, 5:56:21 PM7/19/22
to Steve Springett, Felipe Zipitria, Harold Blankenship, lea...@owasp.org

There’s several lists which have just empty website-shells like https://owasp.org/www-project-data-security-top-10/, https://owasp.org/www-project-internet-of-things-top-10/ and https://owasp.org/www-project-machine-learning-security-top-10/.

 

We have also some like the https://owasp.org/www-project-mobile-top-10/ which seem legitimately different from the web-focused OWASP Top 10, but they haven’t seen a release for 6 years.

 

Then there’s https://owasp.org/www-project-serverless-top-10/which is just an „interpretation“ of the original OWASP Top 10 (from 2017), so here the project name is misleading. Related to this there is lists like https://owasp.org/www-project-top-10-low-code-no-code-security-risks/ which have a 90%+ representation of their entries in the current or a past version of the „classic“ OWASP Top 10, they just have a narrower focus.

 

Finally, a bit confusingly named alongside the inflationary list of Top 10s at OWASP, https://owasp.org/www-project-top-10-card-game/ is not a Top 10 of card games but a card game on the OWASP Top 10.

 

In my opinion, many of today’s „OWASP XYZ Top 10“ projects could just as well have been written as a Cheat Sheet in scope of the OWASP Cheat Sheet Series. Or have extended already existing ones.

 

Cheers,

Björn

openpgp-digital-signature.asc

psiinon

unread,
Jul 20, 2022, 3:41:26 AM7/20/22
to Bjoern Kimminich, Steve Springett, Felipe Zipitria, Harold Blankenship, Leaders
Sounds like a topic for the next Project Committee :)

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/leaders/00af01d89bba%245eda0b40%241c8e21c0%24%40owasp.org.


--
OWASP ZAP Project leader
Reply all
Reply to author
Forward
0 new messages