[Owasp-board] OWASP Project - Security Vulnerability Contextualization Framework

Dave Wichers dave.wichers at owasp.org
Wed Dec 17 14:03:01 UTC 2008



Have you looked at:


Seems like what you are interested in should either use, or potentially
extend this work. This work was done mostly by Jeff Williams where it
started off as a standalone methodology. It has now become part of the
Testing Guide, and probably belongs as a chapter in the Code Review and
Development Guides as well.




From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Paulo Coimbra
Sent: Wednesday, December 17, 2008 7:57 AM
To: 'Rafal Los'
Cc: 'OWASP Foundation Board List';
global_tools_and_project_committee at lists.owasp.org
Subject: Re: [Owasp-board] OWASP Project - Security Vulnerability
Contextualization Framework


Hello Rafal,


Thank you very much for supporting our community. Your contribution is
certainly most welcomed. 


I am forwarding your question to our OWASP
Global Projects and Tools Committee. After having their feedback, I will
either add you to an existent project or set up a new project page for you
to assume as project leader.


Meanwhile, I suggest glancing at our Assessment
Criteria which states the path each OWASP project ought to do so as to reach
Release Quality status.


Many thanks, best regards,


Paulo Coimbra,

OWASP <https://www.owasp.org/index.php/Main_Page>  Project Manager


From: Rafal Los [mailto:rafal at ishackingyou.com] 
Sent: quarta-feira, 17 de Dezembro de 2008 08:00
To: paulo.coimbra at owasp.org
Subject: OWASP Project - Security Vulnerability Contextualization Framework


  At the last OWASP in NYC, I was speaking with Tom Brennan and some of the
folks there and one of the things that's very difficult to come by is a set
of "standards", or perhaps a framework for providing context around a web
application security vulnerability.  I think this would be a wonderful
project to kick off (if it already doesn't exist) as I think coming up with
a standard way of looking at a vulnerability to determine context and thus
an actual "Severity Rating" is critical to helping analysts be consistent.
  The question everyone asks - when is Critical Not?  In my blog post (here:
1/risk-rating-when-is-critical-not.aspx) I start the discussion, and I have
had great feedback as well... the next logical step for me is to move this
discussion forward by writing up a formal framework for "contextualizing
security defects" to more accurately address vulnerabilities as risks.

  If such a project already exists, please add me to it, if possible, if not
- I would like to propose it and move forward.



Rafal (Ralph) M. Los
IT Security - Response | Mitigation | Strategy
E-mail:  rafal at ishackingyou.com
Direct:  +1 (404) 606-6056
 - gPGP:    0xFFC63B33
 - Blog:    http://preachsecurity.blogspot.com
 - Web:     http://www.ishackingyou.com <http://www.ishackingyou.com/> 
 - LinkedIn:http://www.linkedin.com/in/rmlos


You live life online. So we put Windows on the web. Learn
<http://clk.atdmt.com/MRT/go/127032869/direct/01/>  more about Windows Live 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20081217/1edc80ab/attachment-0002.html>

More information about the Owasp-board mailing list