[Owasp-topten] 2010 RC - Severity != Risk

Dave Wichers dave.wichers at aspectsecurity.com
Mon Dec 28 11:36:24 EST 2009


Yep. That's right.

"Calderon, Juan Carlos (GE, Corporate, Consultant)" <juan.calderon at ge.com>
wrote:

Christian

The OWASP TopTen 2010 is generic on those, that is, Jeff and Dave choose
what the best general/average value is for each issue was based on the
metrics, their experience and feedback from others.

As stated in the document this is the industry top 10 and you can addapt
it
to your company by modifying those specific values to your situation in
particular. Thus, your company top 10, although based on OWASP's, might be
different and still will be Risk based.

At least that is how I understand the spirit on this topic. Jeff/Dave
correct me if I am wrong, regards,

-JC

----- Original Message -----
From: "Christian Heinrich" <christian.heinrich at owasp.org>
To: <owasp-topten at lists.owasp.org>
Sent: Monday, December 28, 2009 4:22 AM
Subject: [Owasp-topten] 2010 RC - Severity != Risk


> Jeff,
>
> I have reviewed the OWASP Top Ten RIsk Rating Methodology and have
> concluded that this represents severity and not (residual) risk.
>
> This is due to the inability to measure the "Threat Agents" and
> "Business Impact" which are metrics specific to the environment and
> therefore required (i.e. "Threat Agents and "Business Impact" to
> measure the (residual) risk.
>
> Can references to "risk" in the RC be modified to "severity" in the
> final release?
>
> --
> Regards,
> Christian Heinrich - http://sn.im/cmlh_linkedin_profile
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> Speaking Schedule at http://sn.im/cmlh_speaking_schedule
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>

_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-topten



More information about the Owasp-topten mailing list