[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Tue Aug 27 00:09:56 UTC 2013


On Tue, Aug 27, 2013 at 4:59 AM, Pete Herzog <pete at isecom.org> wrote:
> I'm aware of your work on CVSSv3 from your posts on the DailyDave
> list. As far as I can tell it's not done yet or there's no further
> development except what's posted here:
> http://www.first.org/cvss/v3/development
> There doesn't seem to be a public link. So it seems to be a closed
> development group as I couldn't easily see how I could get a copy of
> of cvssv3 to read. It's just not developed in a transparent manner.

The link to the CVSS-SIG is prominently displayed on the left side of
the http://www.first.org/ homepage

Furthermore, all patents and other intellectual property rights have
to be surrendered to participate in the development of the CVSS and as
far as I am aware this is above what even OWASP requires.

On Tue, Aug 27, 2013 at 4:59 AM, Pete Herzog <pete at isecom.org> wrote:
> Then again maybe that's all perspective.
> OSSTMM is also developed by a team of volunteers and to gain access to
> the development you need to help work on it or financially support
> development. When it's done we publish it for free as Open Source as
> we have 8 other times before this coming version 4. It helps us keep
> the project alive as well as keeping people from using an unfinished
> version and being unsatisfied, never to return again even once it's
> been improved. More than unsatisfied, the importance of security
> testing and measurements is so vital to many organizations that we
> need to be REALLY sure they know what is experimental and what isn't
> so as not to aide in someone screwing up a test for following an
> incomplete instruction set. And the team/subscriber hoop people need
> to jump through solves that problem.
> There's a lot of way to do open source and there's a lot of ways to
> provide transparency. We do it through our teams and our lists as they
> also suggest here:
> http://opensource.com/life/13/7/10-secrets-open-source-communities

OWASP has also followed a similar "secret" process as

On Tue, Aug 27, 2013 at 4:59 AM, Pete Herzog <pete at isecom.org> wrote:
> If you wanted to see and try the OSSTMM web app testing in development
> you could have let us know and done some review for us or at least
> give feedback if you were going to read it anyway. But you didn't
> contact anyone in the team and you didn't ask for a copy anywhere I
> can see. Just like I didn't with CVSSv3 when I didn't find it right
> away. But I didn't call it closed source or not transparent. It is
> what it is and if I think I need it, I'll ask. Just like many students
> using OSSTMM in there thesis ask us for a copy of the latest stuff and
> we give it to them because they give back by applying our stuff in
> real and new ways.

Yes, I have been familiar with OSSTMM since release v2 (maybe earlier)
from memory.  The reason that I walked away from it was that it was
full of self righteous statements related to ethics and "Hacking
Exposed" has more technical content while being what is a
sensationalised publication (i.e. "Hacking Exposed").

Neither would the markings of both "Alpha" and "Draft" convince me to
read your webappsec methodology since it doesn't have the same peer
reviewed contributors as the OWASP Testing Guide,
http://mdsec.net/wahh/, etc.

Raoul Chiesa and I know each other from presenting at the same
conference in Europe. Coincidently he want me to replace
as the Australian representative for  http://www.isecom.org/team.html
because of their well known lack of skill.

On Tue, Aug 27, 2013 at 4:59 AM, Pete Herzog <pete at isecom.org> wrote:
> By the way, we did introduce the document within OWASP at a public
> meeting to get feedback from web developers and testers:
> http://seclists.org/webappsec/2010/q3/49
> Sorry if this escaped your notice. But we do them every once in a
> while so maybe you can catch the next somewhere, even on your continent.

After watching the heckling from the audience at
http://www.sector.ca/speakers2008.htm#Pete_Herzog I can't see the
additional value in travelling to North Carolina.  I believe the
positive reviews of the North Carolina event are attributed to Michael
Menefee not disclosing his conflict of interest i.e.

On Tue, Aug 27, 2013 at 4:59 AM, Pete Herzog <pete at isecom.org> wrote:
> And by the way, I'm all for an OWASP Risk Rating. I think risk ratings
> are quite personal so they offer an interesting perspective based on
> the concerns of the organization developing them. They expand the
> thought field of security and help people frame what's important to
> them in the realm of that metric. With a field as big and imprecise as
> security we need all the new ideas we can get.

This endorsement of the OWASP Risk Rating Methodology is the similar
to that from people who believe vulnerability assessment is a
different name of penetration testing and therefore consider OSSTMM as
a creditable body of knowledge.

Due to criticisms of OSSTMM from multiple parties with no relationship
to each other (hence no collusion) i.e.
https://twitter.com/mhackling/status/46376971336290304, etc OWASP has
aligned itself with PTES too i.e.
https://twitter.com/indi303/status/78476821305360385 and

Christian Heinrich


More information about the Owasp-testing mailing list