[Owasp-topten] 2010 RC - Severity != Risk

Christian Heinrich christian.heinrich at owasp.org
Thu Dec 31 05:38:48 EST 2009


Dave,

I doubt their intention is raising the awareness of webappsec
considering the recent "benefit" to the privacy settings of their end
users - their agenda is maintaining the status quo while appearing to
raise awareness of webappsec.

While I was expecting resistance to the recommendation of rating each
entry based on severity, this is an opportunity for OWASP to leverage
off others incorrect perception and provide a resource whose entries
cannot be misrepresented based on its initial reading and which cannot
be questioned due to (mis)interpretation of the OWASP Risk Rating
Methodology.

On Thu, Dec 31, 2009 at 3:06 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:
> I think you are reading too much into their sentence. I read that page before you referred to it and nothing jumped out as me as being seriously wrong. Again, they are trying to raise awareness not split hairs so I think what they have done is good.
>
> -Dave
>

-- 
Regards,
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule


More information about the Owasp-topten mailing list