<div dir="ltr"><div>Hi Vinod, <br><br></div>I don't think you can get any sort of average time (which is reliable) for fixing XSS etc. unless you can freeze on the language, framework and a particular coding standard.<br>
<div><div></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 7 January 2014 13:35, Kannan, Vinod K <span dir="ltr"><<a href="mailto:vinod.k.kannan@jpmorgan.com" target="_blank">vinod.k.kannan@jpmorgan.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi All,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I am trying to create an algorithm to calculate the total effort in man hours to fix the findings from a web static scan. Please let me know if there is any
 good and recognized source from where I could get the details like average time to fix different vulnerabilities like  SQLi or XSS and so on.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regards,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Vinod Kannan<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">App Sec consultant - JPMC<u></u><u></u></span></p>
</div>
<p><span style>
This email is confidential and subject to important disclaimers and conditions including on offers for the purchase or sale of securities, accuracy and completeness of information, viruses, confidentiality, legal privilege, and legal entity disclaimers, available at <a href="http://www.jpmorgan.com/pages/disclosures/email" target="_blank">http://www.jpmorgan.com/pages/disclosures/email</a>.  
</span></p>
</div>

<br>_______________________________________________<br>
OWASP-Bangalore mailing list<br>
<a href="mailto:OWASP-Bangalore@lists.owasp.org">OWASP-Bangalore@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-bangalore" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-bangalore</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Warm regards,<br>Akash Mahajan<br><br><i>That Web Application Security Guy</i> | +91 99 805 271 82<br><a href="http://akashm.com" target="_blank">akashm.com</a> | <i>@makash</i> on twitter | <a href="http://linkd.in/webappsecguy" target="_blank">linkd.in/webappsecguy</a><br>
<i>OWASP Bangalore Chapter Lead | null Community Manager</i><br><br>
</div>