[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Jim Manico jim.manico at owasp.org
Tue Aug 27 02:20:02 UTC 2013

We don't need to abort it. Why not just make it better and/or list
some of the problems with it? I'm fairly loud and aggressive regarding
pointing out vendor neutrality issues, and I do not see this as a
violation as it stands today.

Perhaps the testing guide can list several of these rating systems and
let the tester decide what to choose?

Christian, I'm aiming for a softer approach because at the end of the
day we are all just volunteers, even those that may have been abusive
in the past.

Jim Manico
(808) 652-3805

On Aug 27, 2013, at 8:53 AM, Christian Heinrich
<christian.heinrich at cmlh.id.au> wrote:

> Marco,
> On Mon, Aug 26, 2013 at 10:42 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
>> Christian, it looks you are going solo on throwing baby and bath water... also you keep discounting other peoples contributions and point of views on this. Please exercise restraint and consider other peoples point of views, you are not helping the discussion, sorry very disappointed.Cheers Marco
> Your conclusion is incorrect based on this sequence of events shows
> that approached the OWASP Testing Guide Project Leader to update the
> OWASP Risk Rating Methodology.
> 1. Just after the release of the OWASP Top Ten 2010 based on the well
> known dependency of these two bodies of work to each other.
> 2. The intention at the time was to merge the OWASP Risk Rating
> Methodology into CVSSv2 (which I had presented in 2007 i.e.
> http://www.slideshare.net/cmlh/cvss) and then with AS/NZS ISO
> 31000:2009 in consultation with the relevant committee within Standard
> Australia.
> The above was rejected from the outset by OWASP at the time due to a
> political dispute between the Project Leader and Aspect Security.
> Subsequently I have asked you and/or Josh for two artifacts that
> compare the OWASP Risk Rating Methodology to:
> 1. CVSSv3 (or CVSSv2) and;
> 2. ISO 31000:2009
> If you lack the understanding of both of these two bodies of work then
> the proposal to update the OWASP Risk Rating Methodology is not
> applicable to the intended audience (i.e. risk managers) and the level
> of innovation and value add to the webappsec community is unknown and
> therefore will cause confusion in an already crowded market place.
> Hence, the recommendation to abort/deprecate/etc the OWASP Risk Rating
> Methodology.
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

More information about the Owasp-testing mailing list