[Owasp-topten] 2010 RC - OWASP Threat Risk Modeling

Christian Heinrich christian.heinrich at owasp.org
Mon Apr 5 21:28:35 EDT 2010


Dave,

I was just reading http://www.owasp.org/index.php/Threat_Risk_Modeling
- the "OWASP Risk Rating Methodology" isn't referenced on this wiki
page (it should but this may just be an oversight).

Considering the "OWASP Risk Rating Methodology" isn't the "Threat Risk
Modeling" recommended approach, can this be clarified within the FINAL
release of the OWASP Top Ten 2010? i.e. it might require
http://www.owasp.org/index.php/Threat_Risk_Modeling to be modified for
instance?

Also, could the residual risk of each entry also be calculated with
AS/NZS 4360, STRIDE, DREAD, etc (where applicable) and any major
variance (against business risk) or its lack of applicability be
clarified in the FINAL release of the OWASP Top Ten 2010?


-- 
Regards,
Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking


More information about the Owasp-topten mailing list