[Owasp-testing] CVSS v2

Christian Heinrich christian.heinrich at cmlh.id.au
Thu May 9 04:29:41 UTC 2013


The OWASP Risk Rating Methodology is an exceptionally poor implementation
of integrating two discrete processes i.e. threat modelling with a
"traditional security issue rating" (to reuse Eoin's quote from

For instance, Google had been aware of the issue with Open Redirects since
2009 (and maybe earlier)
 This lead to Google indirectly (since this was the only example the
greater webappsec community could use as an example) questioning its
inclusion in the Top Ten 2010 release.

You can observe other examples of the above on the threads related to the
2010 and the proposed 2013 releases of the OWASP Top Ten i.e.

Another issue with the OWASP Risk Rating Methodology is the greater
commercial exploitation of OWASP by "Aspect Security" of which the thread
is available from

Political issues aside, the recommendation I would propose in the context
of an independent auditor presenting the results of a penetration test is

   1. Quote the "impact"/"severity"/"damage consequence"/"base metric" of
   the various sources only, i.e. CVSS (based on the CVE score recorded at
   http://web.nvd.nist.gov/view/vuln/search for independence), OWASP Top
   Ten (i.e. based on their risk rating methodology), etc.
   2. Include a recommendation to measure the "inherent" (i.e. before the
   implementation of controls) and "residual" (i.e. after the implementation
   of controls) risk since audit, and therefore the board are more accepting
   of ISO 31000 as part of their overall risk management.

Of note, I have only measured DREAD (Microsoft) for web applications I have
been involved in the secure development of i.e. *not* as an independent
auditor (where I include DREAD as a recommendation in the Executive Brief
of a penetration testing deliverable nonetheless to raise its awareness
with the intended audience).

You might also want to include a recommendation in the Executive Brief to
consider the threat agent based on STRIDE (Microsoft),
http://www.cert.org/octave/, etc even if they have already.  Please note
that threat agents are not directly related to the
"impact"/"severity"/"damage consequence" in the context of ISO 31000, OWASP
Top Ten, CVSS (i.e. "Base Metrics" only i.e. not "Temporal" Metrics).

On Thu, May 9, 2013 at 4:06 AM, alberto cuevas <beto.cuevas.v at gmail.com>wrote:

> In the OWASP Testing Guide, proposes the use of OWASP Risk Rating
> Methodology (actually we used this for pentest web results).
> - This could be noted as a standard methodology? (I guess the majority of
> the community uses this)
> - Has anyone seen the limits of this methodology in certain situations?
> -  Which other methodologies can be recommended to use rather than OWASP
> Risk Rating Methodology?

Christian Heinrich

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130509/e7b03948/attachment.html>

More information about the Owasp-testing mailing list