[Owasp-leaders] Potential Update to the OWASP Risk Rating Methodology

Dennis Groves dennis.groves at owasp.org
Tue Mar 12 17:28:22 UTC 2013


On 12 Mar 2013, at 17:15, Josh Sokol wrote:

> I agree with what you said Dennis and truly appreciate your comment.
> Having said that, one of our primary communities of outreach is
> developers.

Agreed.

> Sure, they should have security professionals to help convey
> risk, but that's not always the case.  And if those developers are 
> using
> this as a means to rate their risks

RED ALERT!

Risk ratings are a way of managing **organisational** risks. This is a 
function of *management* not development.

If I as a manager have to decide between fixing insecure communications 
and SQLi; I need a tool like this to figure out which to fix first. My 
development team should most certainly not be making decisions of this 
magnitude in isolation! My development team should be fixing things 
according to the priority determined by the security management team.

Context is everything! Developers live in a very detailed and low level 
world; and are very likely to not understand how their decisions impact 
the entire organisation, and for this reason it is all the more 
important that they not be making decisions, particularly about risks 
without the involvement of the security management team.

Dennis

-- 
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 
meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 
software](http://www.fsf.org/campaigns/secure-boot/statement).

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130312/befc8688/attachment.html>


More information about the OWASP-Leaders mailing list