[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

rick.mitchell at bell.ca rick.mitchell at bell.ca
Fri Aug 23 13:16:19 UTC 2013

Hi Christian, I think we're all in agreement that the current methodology could be replaced or improved. I'm just looking for a quick fix (i.e. I can do it in mere seconds....there is no concern about it taking time) to address a client concern and what seems like an obvious mistake.

Even if CVSSv3 is out tomorrow (I suspect imminent for it actually means sometime this year...maybe), OWASP isn't going to adopt it the day after (even if we've established here that we should or could), and even further out is adoption by users/companies/organizations that currently leverage OWASP material.

So to the original point of this thread:
Do people agree or disagree that the current threat agent skill definition is backwards and that the edit (https://www.owasp.org/index.php?title=OWASP_Risk_Rating_Methodology&diff=133450&oldid=122921) should be reversed?


-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au] 
Sent: August 22, 2013 10:19 PM
To: Mitchell, Rick (6030318)
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Are the Risk Rating Wiki Pages Broken?


On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> Hi Christian, thanks for pointing that out. I can definitely see the argument for CVSS (or CVSS'ish) score for Web App Vulns. The only thing that I might say against it is that while there is meant to be a temporal aspect to things I haven't really seen any CVSS scores adjusted over time. Further while this aspect is meant to be from discovery to exploit web app assessment would almost always end up on the exploit end of the scale. Because, If I've identified a XSS in someone's app then it's been exploited.

CVSS is intended to provide a holistic approach in the priorities the
implementation of a patch and/or workaround of  vulnerabilities within
binary/bytecode (non web) applications,  Operating Systems, networks
in addition to web applications.

On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> We should also keep in mind that work has been done in adapting the OSSTMM and its metrics for use in web app assessments.
> http://seclists.org/webappsec/2010/q3/49
> https://twitter.com/isecom/statuses/167973076301135872

OSSTMM is *not* developed in a transparent manner (i.e. closed source)
and this is demonstrated by
https://twitter.com/isecom/statuses/167973076301135872 i.e. there is
not public link within this tweet.

Furthermore, there are no web application security related published
bodies of work from http://www.isecom.org/team.html that are published
outside of ISECOM that I am aware of (I would welcome references that
prove this assumption is incorrect).

On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> Anyway, while that's still up in the air I'd like to do something with the existing wiki. Even if that is only to reverse the previous edit which sparked this thread. I'm was just really hoping that a few people would chime in with black or white (agreement or disagreement) on the topic.

I can't agree that this would be a good use of your time due to the
imminent  release of CVSSv3 vs your expect outcome for the OWASP Risk
Rating Methodology.  Rather, it is more advantageous for OWASP to
deprecate this as other bodies of work related to risk management have
improved significantly overtime with multiple releases.

Christian Heinrich


More information about the Owasp-testing mailing list