[Owasp-topten] 2010 RC - Severity != Risk

Christian Heinrich christian.heinrich at owasp.org
Mon Dec 28 05:22:19 EST 2009


I have reviewed the OWASP Top Ten RIsk Rating Methodology and have
concluded that this represents severity and not (residual) risk.

This is due to the inability to measure the "Threat Agents" and
"Business Impact" which are metrics specific to the environment and
therefore required (i.e. "Threat Agents and "Business Impact" to
measure the (residual) risk.

Can references to "risk" in the RC be modified to "severity" in the
final release?

Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule

More information about the Owasp-topten mailing list