[Owasp-topten] 2010 RC - Severity != Risk

Dave Wichers dave.wichers at aspectsecurity.com
Thu Dec 31 10:21:58 EST 2009

On the leaders list you might have seen some discussion of working with
Facebook and they seem receptive but time will tell. 

Let's see how that plays out.

And I've said before, I don't think rating the top 10 on severity only,
is a good idea. The last top 10 rated them on prevalence only. And we
need to account for both, not just one or the other.


-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Christian
Sent: Thursday, December 31, 2009 5:39 AM
To: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] 2010 RC - Severity != Risk


I doubt their intention is raising the awareness of webappsec
considering the recent "benefit" to the privacy settings of their end
users - their agenda is maintaining the status quo while appearing to
raise awareness of webappsec.

While I was expecting resistance to the recommendation of rating each
entry based on severity, this is an opportunity for OWASP to leverage
off others incorrect perception and provide a resource whose entries
cannot be misrepresented based on its initial reading and which cannot
be questioned due to (mis)interpretation of the OWASP Risk Rating

On Thu, Dec 31, 2009 at 3:06 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:
> I think you are reading too much into their sentence. I read that page
before you referred to it and nothing jumped out as me as being
seriously wrong. Again, they are trying to raise awareness not split
hairs so I think what they have done is good.
> -Dave

Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule
Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list