[Owasp-board] OWASP Project - Security Vulnerability Contextualization Framework

Jeff Williams jeff.williams at owasp.org
Wed Dec 17 15:01:47 UTC 2008

Hi Rafal,


Are you thinking of something like the OWASP Risk
<http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology>  Rating
Methodology?  Or are you more interested in a taxonomy for classifying the
vulnerability, which is more like what's going on in the Application
Security Desk Reference <http://www.owasp.org/index.php/ASDR>  Project.  I
think there's a real opportunity to help out here.  I'm particularly
interested in checking out FAIR in more detail and applying the concepts
there to the problem of determining risk for web application






Jeff Williams, Chair

 <http://www.owasp.org/> The OWASP Foundation

work: 410-707-1487

main: 301-604-4882


From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Paulo Coimbra
Sent: Wednesday, December 17, 2008 7:57 AM
To: 'Rafal Los'
Cc: 'OWASP Foundation Board List';
global_tools_and_project_committee at lists.owasp.org
Subject: Re: [Owasp-board] OWASP Project - Security Vulnerability
Contextualization Framework


Hello Rafal,


Thank you very much for supporting our community. Your contribution is
certainly most welcomed. 


I am forwarding your question to our OWASP
Global Projects and Tools Committee. After having their feedback, I will
either add you to an existent project or set up a new project page for you
to assume as project leader.


Meanwhile, I suggest glancing at our Assessment
Criteria which states the path each OWASP project ought to do so as to reach
Release Quality status.


Many thanks, best regards,


Paulo Coimbra,

OWASP <https://www.owasp.org/index.php/Main_Page>  Project Manager


From: Rafal Los [mailto:rafal at ishackingyou.com] 
Sent: quarta-feira, 17 de Dezembro de 2008 08:00
To: paulo.coimbra at owasp.org
Subject: OWASP Project - Security Vulnerability Contextualization Framework


  At the last OWASP in NYC, I was speaking with Tom Brennan and some of the
folks there and one of the things that's very difficult to come by is a set
of "standards", or perhaps a framework for providing context around a web
application security vulnerability.  I think this would be a wonderful
project to kick off (if it already doesn't exist) as I think coming up with
a standard way of looking at a vulnerability to determine context and thus
an actual "Severity Rating" is critical to helping analysts be consistent.
  The question everyone asks - when is Critical Not?  In my blog post (here:
1/risk-rating-when-is-critical-not.aspx) I start the discussion, and I have
had great feedback as well... the next logical step for me is to move this
discussion forward by writing up a formal framework for "contextualizing
security defects" to more accurately address vulnerabilities as risks.

  If such a project already exists, please add me to it, if possible, if not
- I would like to propose it and move forward.



Rafal (Ralph) M. Los
IT Security - Response | Mitigation | Strategy
E-mail:  rafal at ishackingyou.com
Direct:  +1 (404) 606-6056
 - gPGP:    0xFFC63B33
 - Blog:    http://preachsecurity.blogspot.com
 - Web:     http://www.ishackingyou.com <http://www.ishackingyou.com/> 
 - LinkedIn:http://www.linkedin.com/in/rmlos


You live life online. So we put Windows on the web. Learn
<http://clk.atdmt.com/MRT/go/127032869/direct/01/>  more about Windows Live 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20081217/88f54b54/attachment-0002.html>

More information about the Owasp-board mailing list