[Owasp-singapore] Vulnerability scoring system (or threat rating system)

Christian Heinrich christian.heinrich at owasp.org
Wed Aug 26 04:27:13 EDT 2009


Winston,

The residual risk to the business is calculated with the Environmental Base
Metrics of CVSS.

The High, Medium, Low, etc value does not represent the residual risk,
rather the "severity" or "damage consequence" of the residual risk, which
co-incidentally are calculated by the Base and Temporal Metrics of CVSS.

On Thu, Aug 20, 2009 at 6:46 PM, <Winston.Leong at sg.ey.com> wrote:

> CVSS is one of the simple answer, but also one of the hardest to implement
> because to use this effectively, you need to understand the impact
> (business sometimes).
>
> If you had used a tool to find the vulnerability, usually there is a High,
> Medium, Low etc associated with the risk.
>
> In any case, the general formula of "Impact x Probability" always works.
>
> Regards, Winston Leong
>
>  (Embedded image moved   Winston Leong | Technology and Security Risk
> Services
>  to file: pic15846.gif)
>
>                         Ernst & Young Risk Advisory Services Pte. Ltd
>
>                         One Raffles Quay, North Tower, Level 18, Singapore
> 048583
>
>                         Office: +65 6309 6766 | Fax: +65 6532 7662
>
>                         Mobile: +65 9028 3600
>
>                         Website: www.ey.com
>
>                         Thank you for considering the environmental impact
> of printing emails.
>
>
>
>
>
> The information contained in this communication is intended solely for the
> use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify
> us immediately by responding to this email and then delete it from your
> system. We are neither liable for the proper and complete transmission of
> the information contained in this communication nor for any delay in its
> receipt.
>
> Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
> liability partnership registered in Singapore under the Limited Liability
> Partnerships Act (Chapter 163A).
>
> Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
> liability partnership registered in Singapore under the Limited Liability
> Partnerships Act (Chapter 163A).
>
> Ernst & Young Advisory Pte. Ltd. is a company incorporated in Singapore
> with UEN 198905395E.
>
> Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
> Singapore with UEN 199702967E.
>
> Ernst & Young Customs & International Trade Services Private Limited is a
> company incorporated in Singapore with UEN 200206660G.
>
>
>             spawn of soul
>             calibur
>             <ruel555 at hotmail.                                          To
>             com>                      <security-77 at meetup.com>,
>             Sent by:                  <owasp-singapore at lists.owasp.org>
>             owasp-singapore-b                                          cc
>             ounces at lists.owas
>             p.org                                                 Subject
>                                       [Owasp-singapore] Vulnerability
>                                       scoring system (or threat rating
>             20/08/2009 04:11          system)
>             PM
>
>
>
>
>
>
>
>
>
> Hi Security Gurus,
>
> Here I am again asking for some advise. And Im sure this is not the last,
> so I hope you dont get fed up with me. ;-p
>
> Do you know of any simplest way to score application vulnerability (or
> threat rating system, or whatever you call them)?
>
> Basically, I am doing a security assessment of an in-house application (not
> web-based). I have discovered a few vulnerabilities. But now, I want to
> rank the vulnerabilities so that we can prioritize which one needs to be
> fixed first.
>
> Thanks a lot!
>
> Regards,
> Ruel
>
> Be seen with Buddy! Tag your picture and win exciting prizes! Click here
> _______________________________________________
> Owasp-singapore mailing list
> Owasp-singapore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>
> _______________________________________________
> Owasp-singapore mailing list
> Owasp-singapore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>
>


-- 
Regards,
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090826/66f6a357/attachment.html 


More information about the Owasp-singapore mailing list