[ghaff]

Even OWASP Top 10 often seems to be most interesting in the vein of "That thing that was a problem 10 years ago? Yep still a problem." That's a bit unfair. Stuff does move around a bit over time and some new categories come in. But it often mostly seems to document how relatively little things change.

[tptacek]

I don't think the OWASP Top 10 is especially good, and in general think it mostly serves as a tool to raise the salience of application security, rather than as a guide to implementing it. It almost doesn't matter what the Top 10 is.

[ghaff]

Back when I was attending DevOps Days fairly regularly that's pretty consistent with how I saw the OWASP Top 10 being used--to highlight security in general as opposed to any specific categories.

[Tijdreiziger]

Well, there are a lot of legacy applications out there.