[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Fri Aug 23 02:19:07 UTC 2013


On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> Hi Christian, thanks for pointing that out. I can definitely see the argument for CVSS (or CVSS'ish) score for Web App Vulns. The only thing that I might say against it is that while there is meant to be a temporal aspect to things I haven't really seen any CVSS scores adjusted over time. Further while this aspect is meant to be from discovery to exploit web app assessment would almost always end up on the exploit end of the scale. Because, If I've identified a XSS in someone's app then it's been exploited.

CVSS is intended to provide a holistic approach in the priorities the
implementation of a patch and/or workaround of  vulnerabilities within
binary/bytecode (non web) applications,  Operating Systems, networks
in addition to web applications.

On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> We should also keep in mind that work has been done in adapting the OSSTMM and its metrics for use in web app assessments.
> http://seclists.org/webappsec/2010/q3/49
> https://twitter.com/isecom/statuses/167973076301135872

OSSTMM is *not* developed in a transparent manner (i.e. closed source)
and this is demonstrated by
https://twitter.com/isecom/statuses/167973076301135872 i.e. there is
not public link within this tweet.

Furthermore, there are no web application security related published
bodies of work from http://www.isecom.org/team.html that are published
outside of ISECOM that I am aware of (I would welcome references that
prove this assumption is incorrect).

On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> Anyway, while that's still up in the air I'd like to do something with the existing wiki. Even if that is only to reverse the previous edit which sparked this thread. I'm was just really hoping that a few people would chime in with black or white (agreement or disagreement) on the topic.

I can't agree that this would be a good use of your time due to the
imminent  release of CVSSv3 vs your expect outcome for the OWASP Risk
Rating Methodology.  Rather, it is more advantageous for OWASP to
deprecate this as other bodies of work related to risk management have
improved significantly overtime with multiple releases.

Christian Heinrich


More information about the Owasp-testing mailing list