[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Sat Aug 24 02:23:16 UTC 2013


On Fri, Aug 23, 2013 at 11:16 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> Hi Christian, I think we're all in agreement that the current methodology could be replaced or improved. I'm just looking for a quick fix (i.e. I can do it in mere seconds....there is no concern about it taking time) to address a client concern and what seems like an obvious mistake.

Since the issue was raised by your client I would recommend that
someone independent of you and your client perform the change on the
wiki otherwise the change will appear bias.

On Fri, Aug 23, 2013 at 11:16 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> Even if CVSSv3 is out tomorrow (I suspect imminent for it actually means sometime this year...maybe), OWASP isn't going to adopt it the day after (even if we've established here that we should or could), and even further out is adoption by users/companies/organizations that currently leverage OWASP material.

CVSSv3 is supported by an extensive list of stakeholders i.e.
http://www.first.org/cvss/eadopters, http://www.first.org/cvss/team
and  scroll down to the "Announcing the CVSS Special Interest Group
for CVSS v3 Development" section on
http://www.first.org/cvss/v3/development too.

That stated, this is the first instance I have known of where someone
other than Aspect Security has adopted their flawed risk rating
methodology :)  I'll assume that this was a copy paste from an OWASP
Top Ten finding?

On Fri, Aug 23, 2013 at 11:16 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> So to the original point of this thread:
> Do people agree or disagree that the current threat agent skill definition is backwards and that the edit (https://www.owasp.org/index.php?title=OWASP_Risk_Rating_Methodology&diff=133450&oldid=122921) should be reversed?

Logically I don't disagree with you change but there may have been a
caveat that you may not have considered (and might have been the
original intent of this anomaly) i.e. that is an unskilled threat
agent is more dangerous (since they make more unintended mistakes)
than those who are highly skilled.

BTW, I have no idea as to the reason behind for a "5th" value is
missing i.e. refer to the change note of Soroush Dalili for

Christian Heinrich


More information about the Owasp-testing mailing list