[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Tue Aug 27 04:00:41 UTC 2013


Jim,

On Tue, Aug 27, 2013 at 12:20 PM, Jim Manico <jim.manico at owasp.org> wrote:
> We don't need to abort it. Why not just make it better and/or list
> some of the problems with it? I'm fairly loud and aggressive regarding
> pointing out vendor neutrality issues, and I do not see this as a
> violation as it stands today.

Unless evidence is produced which demonstrates that the proposed
changes to the OWASP Risk Rating Methodology are innovative over CVSS
and ISO 31000 then OWASP will cause nothing more than confusion in the
market and further loss position as the leader of the webappsec field
to ISECOM and others.

http://lists.owasp.org/pipermail/owasp-board/2013-March/011679.html is
dated less than six months ago which is in the last hour if yesterday
was when I proposed to update the OWASP Risk Rating in 2010.

https://www.owasp.org/index.php/Issues_Concerning_The_OWASP_Top_Ten_2013
is more recent (June), or last 15 minutes :) and proves that the OWASP
Risk Rating Methodology was manipulated for Aspect Security for
commercial gain.

On Tue, Aug 27, 2013 at 12:20 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Perhaps the testing guide can list several of these rating systems and
> let the tester decide what to choose?

We have https://www.owasp.org/index.php/Threat_Risk_Modeling already
and co-incidentally this doesn't list the OWASP Risk Rating
Methodology.

On Tue, Aug 27, 2013 at 12:20 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Christian, I'm aiming for a softer approach because at the end of the
> day we are all just volunteers, even those that may have been abusive
> in the past.

I have offered a resolution to Marco (and Josh) already that if there
is no evidence to support that an update to the OWASP Risk Rating
Methodology would provide what is already available within CVSS or ISO
31000 today then I am more than willing to facilitate an introduction
to the CVSS-SIG (unfortunately I can't assist with ISO directly but I
could approach Standards Australia for a contact of a standards body
within their respective country).


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-testing mailing list