[Owasp-testing] CVSS v2

Christian Heinrich christian.heinrich at cmlh.id.au
Sat May 11 02:25:33 UTC 2013


Colin,

On Fri, May 10, 2013 at 5:18 PM, Colin Watson <colin.watson at owasp.org>wrote:

> Very useful points and references, which I don't disagree with.
>

I also presented http://www.slideshare.net/cmlh/cvss from 2006 and as part
of this research considered the published minutes of the FIRST SIG
conference calls during the development of CVSSv2.

As I have stated previously, the issues identified within
http://www.slideshare.net/cmlh/cvss are being addressed by the FIRST
CVSS-SIG for CVSSv3.

On Fri, May 10, 2013 at 5:18 PM, Colin Watson <colin.watson at owasp.org>
 wrote:
>
> For custom-built web applications, which I think was the original
> question, I would personally not use CVSS2. I am keeping my eyes on
> CWRAF and CWSS:
>
>    http://cwe.mitre.org/cwraf/
>

I include CWRAF as a recommendation in the Executive Brief since I believe
the risk management function of the business is better at measuring their
residual risk when acting as the external independent auditor.

Also, you may still be able to locate CVE(s) of the published API(s) since
developer tends to reuse API(s) in the development of multiple web
applications.  Hence, it may still possible to quote the CVSS Base Score in
the deliverable as part of encouraging the business to leverage CWRAF.



-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130511/62f23804/attachment.html>


More information about the Owasp-testing mailing list