[Owasp-topten] 2010 RC - Severity != Risk

Calderon, Juan Carlos (GE, Corporate, Consultant) juan.calderon at ge.com
Mon Dec 28 10:30:05 EST 2009


The OWASP TopTen 2010 is generic on those, that is, Jeff and Dave choose 
what the best general/average value is for each issue was based on the 
metrics, their experience and feedback from others.

As stated in the document this is the industry top 10 and you can addapt it 
to your company by modifying those specific values to your situation in 
particular. Thus, your company top 10, although based on OWASP's, might be 
different and still will be Risk based.

At least that is how I understand the spirit on this topic. Jeff/Dave 
correct me if I am wrong, regards,


----- Original Message ----- 
From: "Christian Heinrich" <christian.heinrich at owasp.org>
To: <owasp-topten at lists.owasp.org>
Sent: Monday, December 28, 2009 4:22 AM
Subject: [Owasp-topten] 2010 RC - Severity != Risk

> Jeff,
> I have reviewed the OWASP Top Ten RIsk Rating Methodology and have
> concluded that this represents severity and not (residual) risk.
> This is due to the inability to measure the "Threat Agents" and
> "Business Impact" which are metrics specific to the environment and
> therefore required (i.e. "Threat Agents and "Business Impact" to
> measure the (residual) risk.
> Can references to "risk" in the RC be modified to "severity" in the
> final release?
> -- 
> Regards,
> Christian Heinrich - http://sn.im/cmlh_linkedin_profile
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> Speaking Schedule at http://sn.im/cmlh_speaking_schedule
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

More information about the Owasp-topten mailing list