[Owasp-board] OWASP Project - Security Vulnerability Contextualization Framework

Paulo Coimbra paulo.coimbra at owasp.org
Wed Dec 17 12:56:45 UTC 2008


Hello Rafal,

 

Thank you very much for supporting our community. Your contribution is
certainly most welcomed. 

 

I am forwarding your question to our OWASP
<https://www.owasp.org/index.php/Global_Projects_and_Tools_Committee>
Global Projects and Tools Committee. After having their feedback, I will
either add you to an existent project or set up a new project page for you
to assume as project leader.

 

Meanwhile, I suggest glancing at our Assessment
<https://www.owasp.org/index.php/Category:OWASP_Project_Assessment>
Criteria which states the path each OWASP project ought to do so as to reach
Release Quality status.

 

Many thanks, best regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Rafal Los [mailto:rafal at ishackingyou.com] 
Sent: quarta-feira, 17 de Dezembro de 2008 08:00
To: paulo.coimbra at owasp.org
Subject: OWASP Project - Security Vulnerability Contextualization Framework

 

Paulo,
  At the last OWASP in NYC, I was speaking with Tom Brennan and some of the
folks there and one of the things that's very difficult to come by is a set
of "standards", or perhaps a framework for providing context around a web
application security vulnerability.  I think this would be a wonderful
project to kick off (if it already doesn't exist) as I think coming up with
a standard way of looking at a vulnerability to determine context and thus
an actual "Severity Rating" is critical to helping analysts be consistent.
  The question everyone asks - when is Critical Not?  In my blog post (here:
http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2008/10/3
1/risk-rating-when-is-critical-not.aspx) I start the discussion, and I have
had great feedback as well... the next logical step for me is to move this
discussion forward by writing up a formal framework for "contextualizing
security defects" to more accurately address vulnerabilities as risks.

  If such a project already exists, please add me to it, if possible, if not
- I would like to propose it and move forward.

Cheers.

  _____  

Rafal (Ralph) M. Los
IT Security - Response | Mitigation | Strategy
E-mail:  rafal at ishackingyou.com
Direct:  +1 (404) 606-6056
 - gPGP:    0xFFC63B33
 - Blog:    http://preachsecurity.blogspot.com
<http://preachsecurity.blogspot.com/> 
 - Web:     http://www.ishackingyou.com <http://www.ishackingyou.com/> 
 - LinkedIn:http://www.linkedin.com/in/rmlos




  _____  

You live life online. So we put Windows on the web. Learn
<http://clk.atdmt.com/MRT/go/127032869/direct/01/>  more about Windows Live 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20081217/83e3ce00/attachment-0002.html>


More information about the Owasp-board mailing list