2013 OWASP Mobile Top 10 Call For Data

[Jim Manico <jim.manico () owasp org>]

Hello All,

We are pleased to announce the 2013 call for data to help refresh the Mobile Top 10 Risks for 2013 and publish a more 
formal publication. We are encouraging everyone to get involved.

The current Mobile Top Ten Risks are located here: 

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab.3DTop_Ten_Mobile_Risks

- What do we need? - 

Right now we are looking for data that represents the current state of mobile application security. We are soliciting 
not just vulnerability data, but also incident and attack data that reflects the real-world prevalence and significance 
of these issues. The goal in requiring both is to rank risks accordingly based on data as opposed to making 
assumptions. We will use this data to flesh out and re-evaluate the currently incomplete Mobile Top Ten Project.

- How can you contribute? - 

Contributing data is easy. All we require is anonymized statistics on the vulnerabilities you’ve seen in 2012-Present. 
If you have data on real-world incidents and attacks to share, these will be of great value as well as they will allow 
real-world impact to be better assessed. This can be just aggregate percentages, no need to tell us how many apps 
you’re doing if you’re not comfortable with that. Something like the below:

Issue: Something related to geolocation
Percentage Affected: X%
Number Affected: Y (only if you are comfortable with this)
Brief Description: This is a problem because xyz and also, bad things.

The data you submit does not necessarily have to reflect the current Top 10, it has to reflect what you are observing 
in the applications you analyze. At the same time, we would certainly love feedback on what you believe is correct or 
incorrect about the current list.

- What happens next? -

After a 60 day period we will review all submissions and re-draft the Mobile Top Ten based on the prevalence and impact 
of data provided by participants. After the submission period ends, there will be follow-on discussions and work to 
analyze the data. Participation in this initiative may require up to 10 hours of efforts per week, so please take this 
into consideration before signing up.

- Spread the word. Make a difference! - 

Also, any help spreading the word on the Mobile Security Project is immensely helpful.  A Tweet/Facebook/Linkedin post, 
blog entry, etc. This initiative will fail if people don't know about it.  Anyone that you can promote this initiative 
to will help the cause.

We thank all of you in advance for your participation and hard work in making this initiative a success. Your 
participation will be noted and recorded when compiling the list of contributors for the final release of the Mobile 
Top 10 Risks documentation.

- Get in touch and get involved. -

Please direct any questions or concerns to the Top 10 Refresh leaders, Jason Haddix (jason.haddix () owasp org), Jack 
Mannino (jack.mannino () owasp org), and Mike Zusman (mike.zusman () owasp org). 

We will be using a Google Group to collaborate on the Top 10 refresh: 
https://groups.google.com/a/owasp.org/forum/?hl=en&fromgroups#!forum/owasp-mobile-top-10-risks

The OWASP Mobile Security project’s mailing list is also another way to get in touch with other contributors 
(owasp-mobile-security-project () lists owasp org).

Thank you!

Regards,
Jim Manico
OWASP Board Member and Volunteer
@Manicode

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________