[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Tue Aug 27 00:52:32 UTC 2013


On Mon, Aug 26, 2013 at 10:42 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
> Christian, it looks you are going solo on throwing baby and bath water... also you keep discounting other peoples contributions and point of views on this. Please exercise restraint and consider other peoples point of views, you are not helping the discussion, sorry very disappointed.Cheers Marco

Your conclusion is incorrect based on this sequence of events shows
that approached the OWASP Testing Guide Project Leader to update the
OWASP Risk Rating Methodology.

1. Just after the release of the OWASP Top Ten 2010 based on the well
known dependency of these two bodies of work to each other.

2. The intention at the time was to merge the OWASP Risk Rating
Methodology into CVSSv2 (which I had presented in 2007 i.e.
http://www.slideshare.net/cmlh/cvss) and then with AS/NZS ISO
31000:2009 in consultation with the relevant committee within Standard

The above was rejected from the outset by OWASP at the time due to a
political dispute between the Project Leader and Aspect Security.

Subsequently I have asked you and/or Josh for two artifacts that
compare the OWASP Risk Rating Methodology to:
1. CVSSv3 (or CVSSv2) and;
2. ISO 31000:2009

If you lack the understanding of both of these two bodies of work then
the proposal to update the OWASP Risk Rating Methodology is not
applicable to the intended audience (i.e. risk managers) and the level
of innovation and value add to the webappsec community is unknown and
therefore will cause confusion in an already crowded market place.

Hence, the recommendation to abort/deprecate/etc the OWASP Risk Rating

Christian Heinrich


More information about the Owasp-testing mailing list