[Owasp-topten] 2010 RC - Severity != Risk

Christian Heinrich christian.heinrich at owasp.org
Fri Jan 1 05:18:56 EST 2010


Dave,

The sampling methodology would be to sort the vulnerabilities based on
prevalence and then select those of high severity in order of
prevalence.

WASC provide CVSSv2 Base (i.e. severity) metrics for each webappsec
vulnerability.

On Fri, Jan 1, 2010 at 2:21 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:
> On the leaders list you might have seen some discussion of working with
> Facebook and they seem receptive but time will tell.
>
> Let's see how that plays out.
>
> And I've said before, I don't think rating the top 10 on severity only,
> is a good idea. The last top 10 rated them on prevalence only. And we
> need to account for both, not just one or the other.
>
> -Dave


-- 
Regards,
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule


More information about the Owasp-topten mailing list