[Owasp-singapore] Vulnerability scoring system (or threat rating system)

Winston.Leong at sg.ey.com Winston.Leong at sg.ey.com
Thu Aug 20 04:46:51 EDT 2009


CVSS is one of the simple answer, but also one of the hardest to implement
because to use this effectively, you need to understand the impact
(business sometimes).

If you had used a tool to find the vulnerability, usually there is a High,
Medium, Low etc associated with the risk.

In any case, the general formula of "Impact x Probability" always works.

Regards, Winston Leong
                                                                                                      
 (Embedded image moved   Winston Leong | Technology and Security Risk Services                        
 to file: pic15846.gif)                                                                               
                                                                                                      
                         Ernst & Young Risk Advisory Services Pte. Ltd                                
                                                                                                      
                         One Raffles Quay, North Tower, Level 18, Singapore 048583                    
                                                                                                      
                         Office: +65 6309 6766 | Fax: +65 6532 7662                                   
                                                                                                      
                         Mobile: +65 9028 3600                                                        
                                                                                                      
                         Website: www.ey.com                                                          
                                                                                                      
                         Thank you for considering the environmental impact of printing emails.       
                                                                                                      




The information contained in this communication is intended solely for the
use of the individual or entity to whom it is addressed and others
authorized to receive it. It may contain confidential or legally privileged
information. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by responding to this email and then delete it from your
system. We are neither liable for the proper and complete transmission of
the information contained in this communication nor for any delay in its
receipt.

Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Advisory Pte. Ltd. is a company incorporated in Singapore
with UEN 198905395E.

Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
Singapore with UEN 199702967E.

Ernst & Young Customs & International Trade Services Private Limited is a
company incorporated in Singapore with UEN 200206660G.

                                                                           
             spawn of soul                                                 
             calibur                                                       
             <ruel555 at hotmail.                                          To 
             com>                      <security-77 at meetup.com>,           
             Sent by:                  <owasp-singapore at lists.owasp.org>   
             owasp-singapore-b                                          cc 
             ounces at lists.owas                                             
             p.org                                                 Subject 
                                       [Owasp-singapore] Vulnerability     
                                       scoring system (or threat rating    
             20/08/2009 04:11          system)                             
             PM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi Security Gurus,

Here I am again asking for some advise. And Im sure this is not the last,
so I hope you dont get fed up with me. ;-p

Do you know of any simplest way to score application vulnerability (or
threat rating system, or whatever you call them)?

Basically, I am doing a security assessment of an in-house application (not
web-based). I have discovered a few vulnerabilities. But now, I want to
rank the vulnerabilities so that we can prioritize which one needs to be
fixed first.

Thanks a lot!

Regards,
Ruel

Be seen with Buddy! Tag your picture and win exciting prizes! Click here
_______________________________________________
Owasp-singapore mailing list
Owasp-singapore at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-singapore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic15846.gif
Type: image/gif
Size: 2521 bytes
Desc: not available
Url : https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090820/05bc9dc6/attachment.gif 


More information about the Owasp-singapore mailing list