[Owasp-testing] CVSS v2

Eoin eoin.keary at owasp.org
Tue May 7 23:43:46 UTC 2013


CVSS pretty much is devoid of context.
It does not consider client attacks IMHO. It's more of a traditional security issue rating system. PCI mapping to CVSS v2 for appsec is pretty poor. 

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 8 May 2013, at 00:34, alberto cuevas <beto.cuevas.v at gmail.com> wrote:

> Hello,
> 
> In the section 5.1 HOW TO VALUE THE REAL RISK in OWASP Testing Guide v3, notes :
> 
> "Ideally, there would be a universal risk rating system that would accurately estimate all risks for all 
> organization. But a vulnerability that is critical to one organization may not be very important to another. 
> So we're presenting a basic framework here that you should customize for your organization. "
> 
> Whereby, the following questions came to mind:
> 
> - Is a good idea to use CVSS v2 to score pentest web results? (I think so that temporal and environmental metrics can be produced diferentes ratings which determines how critical the vulnerabilitie is for one or another organization.)
> 
> - I read that CVSS v2 has some limitations for score combined vulnerabilties, So, in case to sue CVSS v2 to score, Do exist some mode to solve this issue?
> 
> I wonder if there are opinions on the ups and downs of using CVSS v2 to rate the pentest web results. I appreciate in advance any help or information you can give me.
> 
> Best Regards,
> 
> Beto
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130508/79783db9/attachment.html>


More information about the Owasp-testing mailing list