I agree it’s better than nothing. I guess the problem lies with OWASP (as far as I’m aware) being volunteer created content and there are no economic incentives for those individuals to keep it up to date after initial publishing.
OWASP has been a major authority on web security for a long time. Their best known material is well regarded in both academia and industry (I wasn't aware of the half-hearted contributions until now).
OWASP's best asset, in my opinion, is their seemingly conservative approach, always there to teach me yet another tough lesson (again) about the ten original deadly sins[1] of web development. And other things.
While state-of-the-art content can be lacking, so could it also be assumed that those same kind of threats will be lacking in the wild. The greatest share of threats we face are mostly of the dull, low-hanging fruit kind of thing, that's been around since forever (because the same vulnerabilities are provided again and again).
> Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life. - @thegrugq
I'd like to mention to anyone less familiar with the subject, that OWASP is a resource on defensive security. If seeking content on offensive security, other sources are usually more rewarding (a pentesting site was mentioned).
I think it is mostly not true that OWASP is especially highly regarded, and truer to say that it's application security project with the most momentum and highest public profile, and so it's generally the easiest thing to cite.
Lots of good people have contributed to OWASP over the years and I wouldn't want to diminish their work (which is another problem with the project, it's blinded to a lot of critique by the deference it gets). But the idea that someone would take flaws in OWASP, try to reconcile them with the axiom "OWASP is good", and conclude that it's the the bugs fault, not OWASPs; that's pretty alarming.
