[Owasp-topten] 2010 RC - Severity != Risk

Christian Heinrich christian.heinrich at owasp.org
Mon Dec 28 17:29:08 EST 2009


The OWASP Risk Rating Methodology appears to be based on AS/NZS 4360
with a number of additional metrics specific to webappsec.

Based on 4360, "Severity" would be defined as "Impact" (based on your
definition in your e-mail).  It can also be referred to as "Damage

My preferred method to express technical risk to the business is
CVSSv2 as the fundamental issue with 4360 is the subjectivity of the
likelihood and impact based on various perspectives (e.g. a different
residual risk can be perceived by the Audit Committee to that of the

Coincidentally, WASC has recently began to supplement their statistics
with CVSSv2 Base Metrics (i.e. "Impact" or "Damage Consequence" or
"Severity") only and hence have excluded the Temporal and
Environmental Metrics (of CVSSv2).

CVSSv2 has also been adopted by PCI SCC (considering their adoption of
the OWASP Top Ten).

On Tue, Dec 29, 2009 at 3:23 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:
> What is your definition of severity? We have defined risk as likelihood
> times impact and acknowledged that there are factors of both we can't
> measure in your environment.  However we think this is still risk.
> Dave

Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking

More information about the Owasp-topten mailing list