[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Tue Aug 27 08:10:57 UTC 2013


Eoin,

Marco isn't a Project Leader and neither have I disagreed with Andrew Muller.

To me this seems to OWASP Risk Rating Methodology appears to be when
you stated that  "... In future the GPC should be able to prevent such
silliness in terms of what can become an OWASP branded solution and
what is snake oil."  to quote
https://lists.owasp.org/pipermail/owasp-leaders/2010-July/003295.html

In light of your above statement, I would like to know how the OWASP
Risk Rating Methodology became part of the OWASP Testing Guide and not
the OWASP Top Ten where it is extensively referenced and how neither
ISO 31000 or CVSS were considered based on your own QA?

On Tue, Aug 27, 2013 at 5:24 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
> My opinion, as a previous lead of the testing guide is that the decision to keep risk rating in or remove it is the team leaders. Everyone has the right to voice their opinion without being flamed. Please respect that the guide is a collaboration but the team lead is the leader if the project.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-testing mailing list