The document discusses the history and development of the OWASP Top 10, focusing on the 2017 release and the importance of evidence-based security in development. It highlights the collaboration and data collection efforts that contributed to the updated list, including the challenges faced in maintaining data quality. The OWASP Top 10 serves as an awareness tool for web application security risks and emphasizes the need for continuous improvement in security practices.

1. © 2019 Synopsys, Inc. 1
Using Evidence-Based Security in Your Secure
Development Life Cycle
• Andrew van der Stock
• Senior Principal Consultant, Synopsys
• OWASP Top 10 Co-Lead
• OWASP Application Security Verification Standard Co-Lead

2. © 2019 Synopsys, Inc. 2
Andrew van der
Stock
Joined OWASP late 2002 (ish)
Executive Director 2005–2007
OWASP Developer Guide 2.0 (2003–
2005)
OWASP Top 10 2007
OWASP ESAPI for PHP (sorry!)
OWASP Application Security Verification
Standard (2009–2018)
OWASP Top 10 2017
Board Member 2015–2018

3. © 2019 Synopsys, Inc. 3
Difficult gestation
OWASP Top 10 history

4. © 2019 Synopsys, Inc. 4
Top 10 is awareness. Period.

5. © 2019 Synopsys, Inc. 5 Source: I Can Has Cheezeburger

6. © 2019 Synopsys, Inc. 6
Criticism—valid and
invalid
• “Not OWASP-like”
– A7 Monitoring and A10 API Protection boiled down to
“failure to buy a tool”
– From a vendor who sets the standard
– From a vendor who owns the tool-type market
• John Steven and others had ontological issues with both
controls and vulnerabilities (“Define vulnerability. Is that a
vulnerability?”)
• Others had problems with the data quality
• Showed us people really care about the OWASP Top 10!
Source: I Can Has Cheezeburger

7. © 2019 Synopsys, Inc. 7
Leadership
• Dave Wichers and Jeff Williams stood
down
• Handed it over to Andrew van der Stock
• Immediately appointed co-leaders
–Neil Smithline (participated since
2004)
–Torsten Gigler (German translator
since 2010)
–And the team added … Brian Glas
(data geek)
Source: I Can Has Cheezeburger

8. © 2019 Synopsys, Inc. 8
Project Summit
• OWASP Project Summit
• 10–15 folks local, including Brian Glas and
Dave Wichers
• 5–10 folks remote, including Andrew van der
Stock
• Aimed for a release in 2017 (achieved)
• Agreed to reopen data call (done)
• Agreed on up to two forward-looking issues
(done)
• Agreed to open a new survey (done)
• Agreed to work in the open at GitHub (done)
Source: I Can Has Cheezeburger

9. © 2019 Synopsys, Inc. 9
Data
OWASP Top 10 2017

10. © 2019 Synopsys, Inc. 10
Data call
• Needed data for 2016
• Needed qualitative survey data for two replacements for
A7 and A10
• Brian Glas designed the new survey
• 500+ responses
• Obtained a great deal more data, including from the CAC,
HPE (Fortify), Veracode, Checkmarx, and Bugcrowd
• Over 114,000 apps form data set
• Still analyzing all this data
Source: I Can Has Cheezeburger

11. © 2019 Synopsys, Inc. 11
Dimensions of data qualityIntrinsic
Accuracy
Lineage
Semantic
Structure
Integrity
Contextual
Completeness
Consistency
Currency
Timeliness
Reasonableness
Identifiability

12. © 2019 Synopsys, Inc. 12

13. © 2019 Synopsys, Inc. 13

14. © 2019 Synopsys, Inc. 14
Ordering
• We ordered in risk (impact x likelihood),
which means CVSS x (survey | data)
• Represents our best understanding of
2017 issues

15. © 2019 Synopsys, Inc. 15
Road to release
OWASP Top 10 RC2
OWASP Top 10 GM
OWASP Top 10 Final

16. © 2019 Synopsys, Inc. 16
GitHub
• Everything is in GitHub
• Open: Moved to GitHub
• Open: Data and analysis
• Traceable: Issues
• Translatable: Markdown

17. © 2019 Synopsys, Inc. 17
Translations
Please contribute to translations
- Fork
- Translate
- Submit a pull request
- Maintain your translation
• English
• French
• Hebrew
• Japanese
• Korean
• Spanish
私わ猫です。

18. © 2019 Synopsys, Inc. 18
Final release
• Hundreds of issues closed in three months
• Markdown à PowerPoint
• Released Thanksgiving 2017
• Kicked off translations
• Well received
OWASP Top 10 - 2017
The Ten Most Critical Web Application Security Risks
This work is licensed under a
Creative Commons Attribution-ShareAlike 4.0 International Licensehttps://owasp.org

19. © 2019 Synopsys, Inc. 19
Time to upskill and continuously improve
• OWASP Top 10 2017 is different
– Update skills
– Update test plans
– Update tools
– Update scan policies
In particular, A3, A8, and A10 are very
different. No tool can adequately capture all
10 risks.
Source: I Can Has Cheezeburger

20. © 2019 Synopsys, Inc. 20
Onward to the OWASP Top 10 2020

21. © 2019 Synopsys, Inc. 21
What did we learn?
• Awareness first
• OWASP Top 10 41
• Data call
• Data quality
• (Business) risk vs. (technical risk) vs. breach likelihood vs. …
• Time for a new look
• Don’t release on Thanksgiving

22. © 2019 Synopsys, Inc. 22
Focus on awareness
• OWASP Top 10 is an awareness document
– Proactive Controls is better for entry-level AppSec programs
– Application Security Verification Standard is a standard and should be used
– Testing Guide
– Code Review Guide
– Training applications
– Other standards (PCI DSS, NIST 800-63, NIST 800-53, etc.)
• Tighter integration with all OWASP materials, calls to action

23. © 2019 Synopsys, Inc. 23
OWASP Top 10 … or OWASP Top 41?
• This is to be decided
– SSRF only appears in AR section
– CWE limitations
• More specificity—agreed
• No categories—mostly agreed
Source: I Can Has Cheezeburger

24. © 2019 Synopsys, Inc. 24
Data call planning
–Anonymous and aggregate public data?
–Detailed private data for academics?
–Full disclosure?
–More sources
–Boutiques
–Vulnerability management
–Bug bounties
–Cloud vendors
–Automated tool vendors with services
This Photo by Unknown Author is licensed under CC BY-SA

25. © 2019 Synopsys, Inc. 25
Dimensions of data qualityIntrinsic
Accuracy
Lineage
Semantic
Structure
Integrity
Contextual
Completeness
Consistency
Currency
Timeliness
Reasonableness
Identifiability

26. © 2019 Synopsys, Inc. 26
Data quality
• Segmentation
– Allows folks to work out their Top 10
– Boutiques (manual results are better than
automated results)
– Automated vendors (low-hanging fruit, volume)
– Bug bounties (demonstrated payout) and
vulnerability programs
• Better data science
– Ask better questions of the data
• Share with anyone, including other OWASP projects
– Application Security Verification Standard
– Proactive Controls
– Juice Shop and other training tools
This Photo by Unknown Author is licensed under CC BY

27. © 2019 Synopsys, Inc. 27
Risk-rated order, or just
existence
• Ordering history (2004, 2007, 2010–
2017)
• Order of the Top 10 is irrelevant
• It’s the absolute, bare, rock-bottom
minimum you can and should do
• Do we provide an order at all?
• Where do we go from here?

28. © 2019 Synopsys, Inc. 28
Time for a new look

29. © 2019 Synopsys, Inc. 29
Release date
• Will not be Thanksgiving
• Will engage with media earlier
• Aiming between August and October
–Likely to coincide with OWASP AppSec Global <USA>

30. © 2019 Synopsys, Inc. 30
Get ready for 2020
We have started getting ready!
- Help us with data!
- Watch us build out on GitHub!
- Provide issues and advice!
This Photo by Unknown Author is licensed under CC BY-SA-NC

31. © 2019 Synopsys, Inc. 31
Thank you!
Andrew van der Stock
@vanderaj
OWASP related
vanderaj@owasp.org
Work related
vander@synopsys.com