[Owasp-leaders] How to determine if an application is or not vulnerable based on a Risk Management matrix

Michael Hidalgo michael.hidalgo at owasp.org
Fri Mar 8 14:48:05 UTC 2013

Hi Folks, Greetings from the beautiful Costa Rica :)

Today I received an interesting question from a person that is going to
participate in the upcoming OWASP Latam Tour( and I say interesting because
I'm glad OWASP methodologies are being adopted in Costa Rica).

So this person did a terrific job. Along with a lot of developers. They
created a Risk Management matrix and they identified all the applications
they are using. Then based in the OWASP Top Ten they did a clasiffication
on that and at the end of the day they determine which applications
required special attention.

This person sent me an email and he  principal concern is once he has
determine which applications are more vulnerable (as a result of the Risk
Matrix) how they could evaluate if those vulnerabilities exit in their

Since I'm not an expert in the Risk Management, what would you guys
suggest? Basically the question here is given the Risk Management Matrix
how to determine the incidence of those vulnerabilities in the code?

Is there any project at OWASP that explains something similar o any futher

I was reading at https://www.owasp.org/index.php/Threat_Risk_Modeling which
is very complete.

Thanks for your comments.


 *Michael Hidalgo.
OWASP Chapter Leader & Researcher*

*Blog: http://michaelhidalgocr.blogspot.com*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130308/607d6591/attachment.html>

More information about the OWASP-Leaders mailing list