[Owasp-leaders] Potential Update to the OWASP Risk Rating Methodology
Dennis Groves
dennis.groves at owasp.org
Tue Mar 12 17:28:22 UTC 2013
On 12 Mar 2013, at 17:15, Josh Sokol wrote:
> I agree with what you said Dennis and truly appreciate your comment.
> Having said that, one of our primary communities of outreach is
> developers.
Agreed.
> Sure, they should have security professionals to help convey
> risk, but that's not always the case. And if those developers are
> using
> this as a means to rate their risks
RED ALERT!
Risk ratings are a way of managing **organisational** risks. This is a
function of *management* not development.
If I as a manager have to decide between fixing insecure communications
and SQLi; I need a tool like this to figure out which to fix first. My
development team should most certainly not be making decisions of this
magnitude in isolation! My development team should be fixing things
according to the priority determined by the security management team.
Context is everything! Developers live in a very detailed and low level
world; and are very likely to not understand how their decisions impact
the entire organisation, and for this reason it is all the more
important that they not be making decisions, particularly about risks
without the involvement of the security management team.
Dennis
--
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a
meeting](http://goo.gl/8sPIy).
*This email is licensed under a [CC BY-ND
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*
**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free
software](http://www.fsf.org/campaigns/secure-boot/statement).
> The idea that some lives matter less is the root of all that’s wrong
> with the world. -- Paul Farmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130312/befc8688/attachment.html>
More information about the OWASP-Leaders
mailing list