Top 10 2007 is done
The document is a complete re-write from scratch, and is totally up to date. It’s 34 pages of goodness wrapped in a shiny new document format. Essentially it’s over all bar the shouting… which comes next! 
The document will be uploaded to our Wiki in the next week (post-board approval). If you want your review points or changes to be included, you will need to be on the Top 10 mail list to make the suggestions or changes. To join the OWASP Top 10 mail list (it’s free!), go here:
OWASP Top 10 Mail man interface
I am particularly interested in hearing from people in the
- PCI DSS arena
- Department of Homeland Security
- NIST
- - Your nation’s equivalent of the above two if you are outside of the USA
- If your organization has previously adopted the OWASP Top 10 2004
- Vendors in the WAF, automated code review, and other automated tool arena (yes, we finally discuss if these automated controls are likely to work, but as we don’t know about every product, the more advice we can get the better)
- Frameworks, particularly the PHP team, J2EE / Struts / JSF / Hibernate / Sun / BEA, JBoss, etc, and of course Microsoft’s folks in the .NET team
The last two bullet points are REALLY important as we make some stringent suggestions about how best to code to avoid the Top 10 weaknesses and we want to ensure that it really is the best advice. If you can’t be seen contributing publicly, feel free to e-mail me… vanderaj (at) owasp.org.
UPDATE >> Here it is!
http://www.owasp.org/index.php/Top_10_2007
Andrew
Datasecurity responded on 04 Feb 2007 at 9:10 pm #
Hi Andrew, I’ve emailed you before and wanted to let you know that we will support you in any PCI DSS effort you have. Please email and let us know how we can help.
OWASP Top 10 for 2007 « PCI and Data Security Compliance responded on 04 Feb 2007 at 9:18 pm #
[...] Top 10 for 2007 Andrew, top organizer of OWASP, has posted to his personal blog that the OWASP Top 10 list for 2007 is complete. The document is a complete re-write from scratch, [...]
Deep inside... responded on 16 Feb 2007 at 5:47 pm #
OWASP Top Ten 2007…
Definitely interesting stuffs: http://www.owasp.org/index.php/Top_10_2007...
OWASP Calling It Like It Is « Mark Curphey - SecurityBuddha.com responded on 13 Mar 2007 at 7:16 pm #
[...] Vendors in the WAF, automated code review, and other automated tool arena (yes, we finally discuss i… [...]
OWASP Top 10 for 2007 at PCI Compliance Demystified responded on 18 Mar 2007 at 9:14 pm #
[...] top organizer of OWASP, has posted to his personal blog that the OWASP Top 10 list for 2007 is complete. The document is a complete re-write from scratch, [...]