[Owasp-board] OWASP Project - Security Vulnerability Contextualization Framework
jeff.williams at owasp.org
Wed Dec 17 15:01:47 UTC 2008
Are you thinking of something like the OWASP Risk
Methodology? Or are you more interested in a taxonomy for classifying the
vulnerability, which is more like what's going on in the Application
Security Desk Reference <http://www.owasp.org/index.php/ASDR> Project. I
think there's a real opportunity to help out here. I'm particularly
interested in checking out FAIR in more detail and applying the concepts
there to the problem of determining risk for web application
Jeff Williams, Chair
<http://www.owasp.org/> The OWASP Foundation
From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Paulo Coimbra
Sent: Wednesday, December 17, 2008 7:57 AM
To: 'Rafal Los'
Cc: 'OWASP Foundation Board List';
global_tools_and_project_committee at lists.owasp.org
Subject: Re: [Owasp-board] OWASP Project - Security Vulnerability
Thank you very much for supporting our community. Your contribution is
certainly most welcomed.
I am forwarding your question to our OWASP
Global Projects and Tools Committee. After having their feedback, I will
either add you to an existent project or set up a new project page for you
to assume as project leader.
Meanwhile, I suggest glancing at our Assessment
Criteria which states the path each OWASP project ought to do so as to reach
Release Quality status.
Many thanks, best regards,
OWASP <https://www.owasp.org/index.php/Main_Page> Project Manager
From: Rafal Los [mailto:rafal at ishackingyou.com]
Sent: quarta-feira, 17 de Dezembro de 2008 08:00
To: paulo.coimbra at owasp.org
Subject: OWASP Project - Security Vulnerability Contextualization Framework
At the last OWASP in NYC, I was speaking with Tom Brennan and some of the
folks there and one of the things that's very difficult to come by is a set
of "standards", or perhaps a framework for providing context around a web
application security vulnerability. I think this would be a wonderful
project to kick off (if it already doesn't exist) as I think coming up with
a standard way of looking at a vulnerability to determine context and thus
an actual "Severity Rating" is critical to helping analysts be consistent.
The question everyone asks - when is Critical Not? In my blog post (here:
1/risk-rating-when-is-critical-not.aspx) I start the discussion, and I have
had great feedback as well... the next logical step for me is to move this
discussion forward by writing up a formal framework for "contextualizing
security defects" to more accurately address vulnerabilities as risks.
If such a project already exists, please add me to it, if possible, if not
- I would like to propose it and move forward.
Rafal (Ralph) M. Los
IT Security - Response | Mitigation | Strategy
E-mail: rafal at ishackingyou.com
Direct: +1 (404) 606-6056
- gPGP: 0xFFC63B33
- Blog: http://preachsecurity.blogspot.com
- Web: http://www.ishackingyou.com <http://www.ishackingyou.com/>
You live life online. So we put Windows on the web. Learn
<http://clk.atdmt.com/MRT/go/127032869/direct/01/> more about Windows Live
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board