OWASP Top 10 Flagship Project "The making of the OWASP Top 10 and beyond"

The presentation discusses the process of creating the OWASP Top 10 2021 and the core principles that guided the selection of the top 10 risk categories.

• The OWASP Top 10 is a baseline for software security and not a ceiling.
• Data is important but has limitations as it reflects the past and not necessarily the present.
• Stability is crucial in the selection of the top 10 risk categories to provide foundational stability for others to build on.
• The goal is to raise the minimum bar and improve security across the industry and community.
• Driving the right behavior is important to improve software security across the industry.
• Root cause analysis is important in identifying and addressing software security issues.
• The OWASP Top 10 2021 was created through a process of data collection, survey, data analysis, categorization, drafts, reviews, and the released product.

The speaker emphasized the importance of transparency in software security and how the OWASP Top 10 2021 provides a baseline for software security. The speaker also highlighted the humbling responsibility of selecting the top 10 risk categories as it can start in motion thousands of hours of labor over the next few years. The speaker also thanked the organizations that contributed data to the OWASP Top 10 2021, which is the largest data set related to this kind of information. The speaker also discussed the importance of driving the right behavior to improve software security across the industry.

Ever wonder how the bread is made? We'll take you back into the kitchen so you can see how the Top 10 2021 was made. We'll walk through the process of which decisions were made and why. Covering data collection, survey, data analysis, categorization, drafts, reviews, and the released product. This talk is not about what's in the Top 10, check out the earlier talk for that discussion; this talk is about what went into making the Top 10 2021.