[Owasp-testing] CVSS v2

Christian Heinrich christian.heinrich at cmlh.id.au
Thu May 9 03:01:02 UTC 2013


Eoin,

CVSSv3 has been in active development since June 2012 (i.e. for almost a
year) and the intent is to address the lack of consideration of the "end
user", i.e. the "client" web browser and has been listed/recorded/minuted
by the CVSS-SIG as per
http://cmlh.id.au/post/25150772855/cvssv3-call-subjects

Since both CVSSv2 and CVSS(v1) consider the lifecycle of a vulnerability
(i.e. from discovery to the development of an exploit) it is *not*
comparable to a "traditional security issue rating system" such as AS/NZS
4360, which has been updated and released as an ISO standard in 2009 i.e.
ISO 31000.

On Wed, May 8, 2013 at 9:43 AM, Eoin <eoin.keary at owasp.org> wrote:

> CVSS pretty much is devoid of context.
> It does not consider client attacks IMHO. It's more of a traditional
> security issue rating system. PCI mapping to CVSS v2 for appsec is pretty
> poor.
>


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130509/b68c2e20/attachment.html>


More information about the Owasp-testing mailing list