[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Sun Aug 25 00:58:15 UTC 2013


Marco,

On Sat, Aug 24, 2013 at 4:46 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
> Christian, thanks for the correction in regarding CVSS origins. I think my
> confusion is from the fact that Steve Christey, of the MITRE Corporation,
> who edits Common Vulnerabilities and Exposures (CVE) is also member of FIRST
> but indeed this is not MITRE's child, CVE is, my fault.

This error is not uncommon and due to their reading of "V" and "W" too
i.e. CVE and CWE

Also, the NVD is hosted within NIST not MITRE i.e.
http://nvd.nist.gov/ and NIST list their respective CVSSv2 Metrics
against their CVE entries.

On Sat, Aug 24, 2013 at 4:46 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
> I do not have a view on the other points you are making but I do not agree
> the OWASP risk methodology is "flawed" so it can be rejected entirely. I am
> in favor of a revision same as CVSS had revisions as well. In my opinion, I
> believe in "increased maturity through continuous improvements". I also
> think this discussion should be brought up to the people that are mentioned
> in this email so they can excise their opinion and we can have a fair
> discussion on this topic.

I attempted to update the OWASP Risk Rating Methodology around the
release of the OWASP Testing Guide v3 and the OWASP Top Ten dated
2010.  My proposal also included making the RIsk Rating Methodology
independent from the Testing Guide.  This was resisted the project
leader (of the OWASP Testing Guide who I have deliberately not named)
at the time and I suspect it was due to Aspect Security dominance of
the OWASP Board.

Several former employees of Aspect Security have also taken subsequent
action to block their (Aspect Security's) further commercial
exploitation of OWASP, such as Jim Manico and
http://lists.owasp.org/pipermail/owasp-board/2013-March/011679.html
are his comments related to the OWASP Risk Rating Methodology.

I fail to see the advantage in attempting to catch up as OWASP has
lost its leadership position within several areas of Web Application
Security with other parties that have more mature risk management and
associated vulnerability patch and/or workaround frameworks.
Furthermore, these other parties have no resisted the inclusion of
external contributions as OWASP has in the past.

If you are interested in contributing to CVSSv3 then I can facilitate
an introduction to Seth for you?

On Sat, Aug 24, 2013 at 4:46 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
> I am copying Tom if he things this discussion should be brought to a larger
> group including the authors of the OWASP risk methodology  :)

I am not sure which "Tom" which you are referring too and neither is a
Tom listed within
https://www.owasp.org/index.php?title=OWASP_Risk_Rating_Methodology&action=history.
 That stated I would advise against escalating this to the "Tom" who
is the subject within
http://lists.owasp.org/pipermail/owasp-board/2008-September/006845.html
as it was Aspect Security that raised the objection in this specific
instance (of 2008).


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-testing mailing list