[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Mon Aug 26 11:11:36 UTC 2013


"... For example, a SQL injection problem is frequently CRITICAL, but
it might also be a LOW risk finding if the database is already public
and only an administrator could possibly exploit the flaw. ..."  to
quote page 7 of
 I can understand that risk manager might not comprehend technology
but even they have agreed with me that quote is the worst calculation
of inherent and residual risk that has ever been published.

Until I see what additional value that the OWASP Risk Rating
Methodology would provide above ISO 31000 and CVSS then it neither a
good start or framework for that matter.  Hence it should it removed
from the OWASP Testing Guide (since it taints what is otherwise good
work within the Testing Guide) and marked as aborted.

On Mon, Aug 26, 2013 at 8:45 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Hey now, the OWASP Risk Rating is a good start and possibly even a
> good framework. It just needs an update. I also think that if you use
> "highest impact" instead of the "average impact" the numbers fall out
> better.
> As for project sponsorship issues, we desperately need better rules of
> play that are consistent across all projects. We really do not have
> that right now.
> The board is actively working on this and will submit a few proposals
> for the membership community to vote on, and soon.

Christian Heinrich


More information about the Owasp-testing mailing list