[Owasp-topten] 2010 RC - Severity != Risk

Dave Wichers dave.wichers at aspectsecurity.com
Thu Dec 31 10:21:58 EST 2009


On the leaders list you might have seen some discussion of working with
Facebook and they seem receptive but time will tell. 

Let's see how that plays out.

And I've said before, I don't think rating the top 10 on severity only,
is a good idea. The last top 10 rated them on prevalence only. And we
need to account for both, not just one or the other.

-Dave

-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Christian
Heinrich
Sent: Thursday, December 31, 2009 5:39 AM
To: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] 2010 RC - Severity != Risk

Dave,

I doubt their intention is raising the awareness of webappsec
considering the recent "benefit" to the privacy settings of their end
users - their agenda is maintaining the status quo while appearing to
raise awareness of webappsec.

While I was expecting resistance to the recommendation of rating each
entry based on severity, this is an opportunity for OWASP to leverage
off others incorrect perception and provide a resource whose entries
cannot be misrepresented based on its initial reading and which cannot
be questioned due to (mis)interpretation of the OWASP Risk Rating
Methodology.

On Thu, Dec 31, 2009 at 3:06 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:
> I think you are reading too much into their sentence. I read that page
before you referred to it and nothing jumped out as me as being
seriously wrong. Again, they are trying to raise awareness not split
hairs so I think what they have done is good.
>
> -Dave
>

-- 
Regards,
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule
_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-topten


More information about the Owasp-topten mailing list