[Owasp-codereview] Code Review Guide: Update

Jeff Williams jeff.williams at owasp.org
Fri May 30 18:12:06 EDT 2008

I've never been convinced that the ease of fixing should really be much of a
consideration when deciding what to work on first.  You don't really reduce
your risk by working on anything but the most critical problem.  Closing the
attic windows is easy, but it doesn't make you more secure if your front
door doesn't lock.


Also, as I think was pointed out previously, the ease of fixing varies
radically depending on the situation. Almost any weakness can range from a
few minutes of work to several months.  One of the reasons for ESAPI is to
reduce the effort of solving some of these problems, but even with ESAPI
there could be a significant amount of redesign and reimplementation
required for most flaws.


My vote is to keep this out of the rating scheme. There might be some
marginal value, but overall I think it does more harm than good.





From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Friday, May 30, 2008 8:38 AM
To: Paolo Perego
Cc: Owasp-codereview at lists.owasp.org
Subject: Re: [Owasp-codereview] Code Review Guide: Update


Hi I do agree there are external factors but we cant take into account all
possible variations.

I thing some simple formula for effort of work / winfactor would be really
useful and adopted by consltancy.


Let me know what you think.


On 30/05/2008, Paolo Perego <thesp0nge at gmail.com> wrote: 

2008/5/29 Eoin <eoin.keary at owasp.org>:
> Severity  * Effort required to fix  = Win Factor (Easy win to fix)
>  -> This maps to a grid severity Vs Effort (like a risk matrix) shaded
> should be addressed.

Eoin, don't you thinks that "Effort required to fix" it depends to non
predictable external factors such as (how many people the development
team is comprised from? how much skills the developers have?)? It will
be difficult (IMHO) to formalize a score for "fixing effort" in order
to use for our Win Factor score.

What's your opinion about this?

On about Taxonomy or Vulnerability categories, I started writing
something on paper yesterday and I hope in this weekend to populate
some part of the wikipage so Marco, I'll gave the link and than we can
start a thread in mailing list talking about this topic.

Ciao ciao
Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org

Eoin Keary OWASP - Ireland

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20080530/d6d921c2/attachment.html 

More information about the Owasp-codereview mailing list