[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Pete Herzog lists at isecom.org
Mon Aug 26 22:38:01 UTC 2013


Hi Christian,

I'm aware of your work on CVSSv3 from your posts on the DailyDave
list. As far as I can tell it's not done yet or there's no further
development except what's posted here:
http://www.first.org/cvss/v3/development
There doesn't seem to be a public link. So it seems to be a closed
development group as I couldn't easily see how I could get a copy of
of cvssv3 to read. It's just not developed in a transparent manner.

Then again maybe that's all perspective.

OSSTMM is also developed by a team of volunteers and to gain access to
the development you need to help work on it or financially support
development. When it's done we publish it for free as Open Source as
we have 8 other times before this coming version 4. It helps us keep
the project alive as well as keeping people from using an unfinished
version and being unsatisfied, never to return again even once it's
been improved. More than unsatisfied, the importance of security
testing and measurements is so vital to many organizations that we
need to be REALLY sure they know what is experimental and what isn't
so as not to aide in someone screwing up a test for following an
incomplete instruction set. And the team/subscriber hoop people need
to jump through solves that problem.

There's a lot of way to do open source and there's a lot of ways to
provide transparency. We do it through our teams and our lists as they
also suggest here:

http://opensource.com/life/13/7/10-secrets-open-source-communities

If you wanted to see and try the OSSTMM web app testing in development
you could have let us know and done some review for us or at least
give feedback if you were going to read it anyway. But you didn't
contact anyone in the team and you didn't ask for a copy anywhere I
can see. Just like I didn't with CVSSv3 when I didn't find it right
away. But I didn't call it closed source or not transparent. It is
what it is and if I think I need it, I'll ask. Just like many students
using OSSTMM in there thesis ask us for a copy of the latest stuff and
we give it to them because they give back by applying our stuff in
real and new ways.

By the way, we did introduce the document within OWASP at a public
meeting to get feedback from web developers and testers:
http://seclists.org/webappsec/2010/q3/49

Sorry if this escaped your notice. But we do them every once in a
while so maybe you can catch the next somewhere, even on your continent.

And by the way, I'm all for an OWASP Risk Rating. I think risk ratings
are quite personal so they offer an interesting perspective based on
the concerns of the organization developing them. They expand the
thought field of security and help people frame what's important to
them in the realm of that metric. With a field as big and imprecise as
security we need all the new ideas we can get.

Sincerely,
-pete.

-- 
Pete Herzog - Managing Director - pete at isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org


On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> We should also keep in mind that work has been done in adapting the
OSSTMM and its metrics for use in web app assessments.
> http://seclists.org/webappsec/2010/q3/49
> https://twitter.com/isecom/statuses/167973076301135872

OSSTMM is *not* developed in a transparent manner (i.e. closed source)
and this is demonstrated by
https://twitter.com/isecom/statuses/167973076301135872 i.e. there is
not public link within this tweet.

Furthermore, there are no web application security related published
bodies of work from http://www.isecom.org/team.html that are published
outside of ISECOM that I am aware of (I would welcome references that
prove this assumption is incorrect).

On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> Anyway, while that's still up in the air I'd like to do something
with the existing wiki. Even if that is only to reverse the previous
edit which sparked this thread. I'm was just really hoping that a few
people would chime in with black or white (agreement or disagreement)
on the topic.

I can't agree that this would be a good use of your time due to the
imminent  release of CVSSv3 vs your expect outcome for the OWASP Risk
Rating Methodology.  Rather, it is more advantageous for OWASP to
deprecate this as other bodies of work related to risk management have
improved significantly overtime with multiple releases.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact

-- 
Pete Herzog - Managing Director - pete at isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org


More information about the Owasp-testing mailing list