[Owasp-topten] 2010 RC - Severity != Risk

Dave Wichers dave.wichers at aspectsecurity.com
Mon Dec 28 11:23:17 EST 2009

What is your definition of severity? We have defined risk as likelihood
times impact and acknowledged that there are factors of both we can't
measure in your environment.  However we think this is still risk.


Christian Heinrich <christian.heinrich at owasp.org> wrote:


I have reviewed the OWASP Top Ten RIsk Rating Methodology and have
concluded that this represents severity and not (residual) risk.

This is due to the inability to measure the "Threat Agents" and
"Business Impact" which are metrics specific to the environment and
therefore required (i.e. "Threat Agents and "Business Impact" to
measure the (residual) risk.

Can references to "risk" in the RC be modified to "severity" in the
final release?

Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule
Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list