[Owasp-testing] CVSS v2

jm sysvar0 at gmail.com
Wed May 8 00:35:07 UTC 2013


Vulnerability-centric
Qualitative
Coarse-grained
Simple
Concise
Contextually extensible
Open framework
Inconsistent implementations
In relative wide-use
One-to-one mappings - no scale well for multiple vulnerabilites

jM

> El may 7, 2013 7:46 p.m., "Eoin" <eoin.keary at owasp.org> escribió:
>
>> CVSS pretty much is devoid of context.
>> It does not consider client attacks IMHO. It's more of a traditional
security issue rating system. PCI mapping to CVSS v2 for appsec is pretty
poor.
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 8 May 2013, at 00:34, alberto cuevas <beto.cuevas.v at gmail.com> wrote:
>>
>>> Hello,
>>>
>>> In the section 5.1 HOW TO VALUE THE REAL RISK in OWASP Testing Guide
v3, notes :
>>>
>>>
>>> "Ideally, there would be a universal risk rating system that would
accurately estimate all risks for all
>>> organization. But a vulnerability that is critical to one organization
may not be very important to another.
>>> So we're presenting a basic framework here that you should customize
for your organization. "
>>>
>>> Whereby, the following questions came to mind:
>>>
>>> - Is a good idea to use CVSS v2 to score pentest web results? (I think
so that temporal and environmental metrics can be produced diferentes
ratings which determines how critical the vulnerabilitie is for one or
another organization.)
>>>
>>> - I read that CVSS v2 has some limitations for score combined
vulnerabilties, So, in case to sue CVSS v2 to score, Do exist some mode to
solve this issue?
>>>
>>> I wonder if there are opinions on the ups and downs of using CVSS v2 to
rate the pentest web results. I appreciate in advance any help or
information you can give me.
>>>
>>> Best Regards,
>>>
>>> Beto
>>>
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130507/eb1d0b47/attachment.html>


More information about the Owasp-testing mailing list