Is the OWASP Top 10 list comprehensive enough for writing secure code?
This addresses the problem for software developers and security practitioners by evaluating a widely used security guideline, but it appears incremental as it focuses on empirical validation rather than proposing new methods.
This paper tackles the problem of assessing the comprehensiveness of the OWASP Top 10 list for secure coding by comparing it to vulnerabilities reported in the National Vulnerability Database (NVD) over the past decade, finding that it covers a specific percentage of reported weaknesses (though no concrete numbers are provided in the abstract).
The OWASP Top 10 is a list that is published by the Open Web Application Security Project (OWASP). The general purpose is to serve as a watchlist for bugs to avoid while writing code. This paper compares how many of those weakness as described in the top ten list are actually reported in vulnerabilities listed in the National Vulnerability Database (NVD). That way it makes it possible to empirically show whether the OWASP Top 10 list is comprehensive enough or not, for code weaknesses that have been found in the past decade.