Here's an example. In the BSIMM, 10 of 30 firms have built top-N bug
lists based on their own data culled from their own code. I would
love to see how those top-n lists compare to the OWASP top ten or the
CWE-25. I would also love to see whether the union of these lists is
even remotely
Hello SC-L,
We have released 3 OWASP podcasts over the last few days for your
listening pleasure:
#60 Interview with Jeremiah Grossman and Robert Hansen (Google pays for
vulns)
http://www.owasp.org/download/jmanico/owasp_podcast_60.mp3
#59 AppSec round table with Dan Cornell, Boaz Gelbord,
In the web security world it doesn't seem to matter much. Top(n) Lists
are Top(n).
There is much ideological disagreement over what goes in those lists
and why, but the ratios of defects are fairly consistent. Both with
managed code and with scripting languages.
The WhiteHat Security statistics
On Fri, 5 Feb 2010, McGovern, James F. (eBusiness) wrote:
One of the general patterns I noted while providing feedback to the
OWASP Top Ten listserv is that top ten lists do sort differently. Within
an enterprise setting, it is typical for enterprise applications to be
built on Java, .NET or