sergiomarotco
commented
2 years ago I support. OWASP also in the text either call their TOPs as vulnerabilities, risks, or they call them threats. Moreover, I personally know some of them in OWASP and I don’t understand why they allow this, knowing the level of their knowledge.
These top 10 "risks" are actually vulnerabilities, which by any sound root cause analysis are likely caused by an IT organization lacking of capabilities in the multiple areas of IT/ITSec. The "impact" section describes technical consequences and attack surface used in a compromise by a threat actor; Examples would be useful to set a prior P. Yet, the risks are really never mentioned in this publication. Nevertheless, you guys did a fantastic job which would greatly leverage any risk analysis in the broader field of modern software delivery. Thank you.