Dave Wichers* appears in the latest OWASP Podcast (go get it!). In the podcast, he goes through the huge number of OWASP projects he’s been involved in. There’s no doubt Dave’s massive investment in time, intellectual property, and money have been instrumental to OWASP’s success. Without Jeff and Dave’s leadership and contributions, OWASP would be a far poorer place.
But…. the problem starts when he goes through attribution for the OWASP Top 10, starting around the 17 minute mark. Dave says “Jeff Williams and I basically wrote it” (17:10 onwards), and had various people in OWASP review it such as Dinis Cruz and myself. This is exactly what happened for the 2004 version. But the way it was said implies that the OWASP Top 10 2007 was Dave and Jeff’s and I reviewed that too. I’m sure Dave didn’t mean to miss out on appropriate attributions (he’s a straight up and down sort of guy), but just in case anyone thinks like I did when listening to the podcast, I’d like to set the story straight:
The OWASP Top 10 2004 was Jeff and Dave’s. Absolutely agree with this. I’m pretty sure I reviewed it as I was working on the Developer Guide 2.0 at the time.
The OWASP Top 2010 is primarily Jeff and Dave’s efforts. No problems. I gave up leadership in the project sometime in 2008 when I had to concentrate on personal matters. At that time, I had no draft or made any effort to update the text. Dave’s effort to restart the project didn’t start until after I’d left Aspect. After the draft PPTX was complete, I reviewed drafts of the release candidates, along with about another 30 or so folks.
The OWASP Top 10 2007 is primarily mine in methodology (strict adherence to MITRE statistics in 2006), research and development, authorship, editing and leadership. For example, I sat down with Raoul Endres in a pho restaurant in a wintery day Melbourne, Australia well before I moved to the USA and worked out the methodology. I delivered a draft to about 30 folks in early January of 2007. Jeff Williams and Dave re-wrote and included a few items that I disagreed with (effectively two crypto sections that were not representative in the statistics), and dropped important issues that I felt strongly about. You don’t win them all, but I would have loved for these findings to have made it.
Some of the sections I wrote up in the draft that missed out in the final version:
- A7 – Malformed input (dropped – a bad call in my opinion as nearly all flaws are due to insufficient input validation and output encoding)
- A8 – Broken authorization (dropped – a bad call in my opinion, as most of the easily discovered business logic flaws are authorization related)
- A9 – Insecure cryptography and communications (became A8 – A9 in the final version)
- A10 – Privilege escalation (dropped – a bad call in my opinion, as attackers try to do this all the time)
You can see an early draft here. DO NOT USE THIS VERSION – IT’S NOT OFFICIAL!
I strongly disagreed with the dropping of RFI as it’s one of the biggest reasons that PHP sites are taken over, and PHP is by far the most prevalent server platform. RFI belongs in the OWASP Top 10 probably as the #1 item in the Security Configuration section. There are still millions of sites with this particular flaw.
Call me hypersensitive to the way Dave phrased just one sentence in 45 minutes, but I want folks to realize that I didn’t dedicate many nights and weekends to the OWASP Top 10 2007 to have that taken away from me in glossing over of efforts. I also want to make sure that folks understand that I consider Jeff and Dave friends and utterly respect their long time efforts with OWASP.
* Full disclosure – I worked for Aspect Security between December 2006 and January 2009. Dave and Jeff are founders of Aspect Security and thus my employer during the latter stages of Top 10 2007 gestation. I had a great time at Aspect, worked with amazing customers on cool projects, and have very fond memories of the USA.