Top 10 Selection Criteria


Any issue that is part of the OWASP Top 10 should match very specific Selection/Inclusion criteria.

These criteria should be clear, easy to understand, agreed by the community, and measurable. When applied to the Top 10, the selection of these specific categories should be self-explanatory.

In the Big 4 context, this is relevant for “Auditor Independence” where a Financial Auditor firm and its staff must demonstrate that they are able to perform a completely unbiased review of a company’s financial reporting without being exposed to external pressures which prevent it from being impartial such as a financial interest or inducement.

We were told that a Financial Auditor must both “be independent” and “be seen to be independent”. This second definition effectively means that even something that just looks like it would threaten independence, even if it does not, should be considered as a risk and avoided as carefully as an actual independence risk. (from Behind the The OWASP Top 10 2017 RC1)

Given the controversy surrounding the current Top 10 2017 RC1, it is very important to get this right, and this Working Session will discuss, identify, and agree a ‘Top 10 Selection Criteria’.


  • Create a ‘Top 10 Selection Criteria’
  • Apply the selection criteria to the all versions of the OWASP Top 10 (and see how they rank)
  • Create framework for it to be used in the other Working Sessions in the OWASP Top 10 2017 Track


  • ‘Top 10 Selection Criteria’ published
  • Framework for Top 10 criteria to be used in other OWASP Top 10 2017 Working Sessions


The target audience for this Working Session is:

  • OWASP Top 10 2017 Track participants


Working materials

  • Long list of criteria for inclusion in ‘Top 10 Selection Criteria’.
  • Draft framework for Top 10 criteria to be used in other OWASP Top 10 2017 Working Sesions. (please add as much information as possible before the sessions)


… Add content …

Back to list of all Working Sessions and Tracks

Edit this page here