[Owasp-testing] CVSS v2

alberto cuevas beto.cuevas.v at gmail.com
Wed May 8 18:06:06 UTC 2013


Hello,

In the OWASP Testing Guide, proposes the use of OWASP Risk Rating
Methodology (actually we used this for pentest web results).

- This could be noted as a standard methodology? (I guess the majority of
the community uses this)
- Has anyone seen the limits of this methodology in certain situations?
-  Which other methodologies can be recommended to use rather than OWASP
Risk Rating Methodology?

Thanks in advance for your guidance.

Beto

2013/5/7 jm <sysvar0 at gmail.com>

> Vulnerability-centric
> Qualitative
> Coarse-grained
> Simple
> Concise
> Contextually extensible
> Open framework
> Inconsistent implementations
> In relative wide-use
> One-to-one mappings - no scale well for multiple vulnerabilites
>  El may 7, 2013 7:46 p.m., "Eoin" <eoin.keary at owasp.org> escribió:
>
> CVSS pretty much is devoid of context.
>> It does not consider client attacks IMHO. It's more of a traditional
>> security issue rating system. PCI mapping to CVSS v2 for appsec is pretty
>> poor.
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 8 May 2013, at 00:34, alberto cuevas <beto.cuevas.v at gmail.com> wrote:
>>
>> Hello,
>>
>> In the section 5.1 HOW TO VALUE THE REAL RISK in OWASP Testing Guide v3, notes :
>>
>>
>> "Ideally, there would be a universal risk rating system that would
>> accurately estimate all risks for all
>> organization. But a vulnerability that is critical to one organization
>> may not be very important to another.
>> So we're presenting a basic framework here that you should customize for
>> your organization. "
>>
>> Whereby, the following questions came to mind:
>>
>> - Is a good idea to use CVSS v2 to score pentest web results? (I think so
>> that temporal and environmental metrics can be produced diferentes ratings
>> which determines how critical the vulnerabilitie is for one or another
>> organization.)
>>
>> - I read that CVSS v2 has some limitations for score combined
>> vulnerabilties, So, in case to sue CVSS v2 to score, Do exist some mode to
>> solve this issue?
>>
>> I wonder if there are opinions on the ups and downs of using CVSS v2 to
>> rate the pentest web results. I appreciate in advance any help or
>> information you can give me.
>>
>> Best Regards,
>>
>> Beto
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130508/03aa7279/attachment.html>


More information about the Owasp-testing mailing list