[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Marco Morana marco.m.morana at gmail.com
Mon Aug 26 12:42:41 UTC 2013


Christian, it looks you are going solo on throwing baby and bath water... also you keep discounting other peoples contributions and point of views on this. Please exercise restraint and consider other peoples point of views, you are not helping the discussion, sorry very disappointed.Cheers Marco

Sent from my iPad

On 26 Aug 2013, at 12:11, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:

> Jim,
> 
> "... For example, a SQL injection problem is frequently CRITICAL, but
> it might also be a LOW risk finding if the database is already public
> and only an administrator could possibly exploit the flaw. ..."  to
> quote page 7 of
> https://www.aspectsecurity.com/uploads/downloads/2013/06/Aspect-2013-Global-AppSec-Risk-Report.pdf.
> I can understand that risk manager might not comprehend technology
> but even they have agreed with me that quote is the worst calculation
> of inherent and residual risk that has ever been published.
> 
> Until I see what additional value that the OWASP Risk Rating
> Methodology would provide above ISO 31000 and CVSS then it neither a
> good start or framework for that matter.  Hence it should it removed
> from the OWASP Testing Guide (since it taints what is otherwise good
> work within the Testing Guide) and marked as aborted.
> 
> On Mon, Aug 26, 2013 at 8:45 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Hey now, the OWASP Risk Rating is a good start and possibly even a
>> good framework. It just needs an update. I also think that if you use
>> "highest impact" instead of the "average impact" the numbers fall out
>> better.
>> 
>> As for project sponsorship issues, we desperately need better rules of
>> play that are consistent across all projects. We really do not have
>> that right now.
>> 
>> The board is actively working on this and will submit a few proposals
>> for the membership community to vote on, and soon.
> 
> 
> -- 
> Regards,
> Christian Heinrich
> 
> http://cmlh.id.au/contact


More information about the Owasp-testing mailing list