[Owasp-topten] 2010 RC - Severity != Risk
Calderon, Juan Carlos (GE, Corporate, Consultant)
juan.calderon at ge.com
Mon Dec 28 10:30:05 EST 2009
The OWASP TopTen 2010 is generic on those, that is, Jeff and Dave choose
what the best general/average value is for each issue was based on the
metrics, their experience and feedback from others.
As stated in the document this is the industry top 10 and you can addapt it
to your company by modifying those specific values to your situation in
particular. Thus, your company top 10, although based on OWASP's, might be
different and still will be Risk based.
At least that is how I understand the spirit on this topic. Jeff/Dave
correct me if I am wrong, regards,
----- Original Message -----
From: "Christian Heinrich" <christian.heinrich at owasp.org>
To: <owasp-topten at lists.owasp.org>
Sent: Monday, December 28, 2009 4:22 AM
Subject: [Owasp-topten] 2010 RC - Severity != Risk
> I have reviewed the OWASP Top Ten RIsk Rating Methodology and have
> concluded that this represents severity and not (residual) risk.
> This is due to the inability to measure the "Threat Agents" and
> "Business Impact" which are metrics specific to the environment and
> therefore required (i.e. "Threat Agents and "Business Impact" to
> measure the (residual) risk.
> Can references to "risk" in the RC be modified to "severity" in the
> final release?
> Christian Heinrich - http://sn.im/cmlh_linkedin_profile
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> Speaking Schedule at http://sn.im/cmlh_speaking_schedule
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
More information about the Owasp-topten