[Owasp-topten] WASC Threat Classification v2.0

Christian Heinrich christian.heinrich at owasp.org
Sat Jan 2 04:45:02 EST 2010


Robert,

Impact and Severity refer to the same quality of a residual risk.

On Sat, Jan 2, 2010 at 1:48 PM,  <robert at webappsec.org> wrote:
> Thanks for the free spammage tom :) I just wanted to add that the WASC TC does not
> attempt to implement 'risks' or 'severities' in this release. We will be adding impacts
> and mitigations to future releases but we're staying clear of risk/severity intentionally :)
>
> Thanks
> - Robert
>
>>
>> To add to the thread...  re: OWASP Top 10
>>
>> Released today: WASC Threat Classification v2.0 led by Robert Auger
>>
>> http://projects.webappsec.org/Threat-Classification
>>
>>
>> Tom Brennan
>> http://www.linkedin.com/in/tombrennan
>> (973) 506-9303
>>
>>
>>
>> On Fri, Jan 1, 2010 at 5:18 AM, Christian Heinrich
>> <christian.heinrich at owasp.org> wrote:
>> > Dave,
>> >
>> > The sampling methodology would be to sort the vulnerabilities based on
>> > prevalence and then select those of high severity in order of
>> > prevalence.
>> >
>> > WASC provide CVSSv2 Base (i.e. severity) metrics for each webappsec
>> > vulnerability.
>> >
>> > On Fri, Jan 1, 2010 at 2:21 AM, Dave Wichers
>> > <dave.wichers at aspectsecurity.com> wrote:
>> >> On the leaders list you might have seen some discussion of working with
>> >> Facebook and they seem receptive but time will tell.
>> >>
>> >> Let's see how that plays out.
>> >>
>> >> And I've said before, I don't think rating the top 10 on severity only,
>> >> is a good idea. The last top 10 rated them on prevalence only. And we
>> >> need to account for both, not just one or the other.
>> >>
>> >> -Dave
>> >
>> >
>> > --
>> > Regards,
>> > Christian Heinrich - http://sn.im/cmlh_linkedin_profile
>> > OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
>> > Speaking Schedule at http://sn.im/cmlh_speaking_schedule
>> > _______________________________________________
>> > Owasp-topten mailing list
>> > Owasp-topten at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-topten
>> >
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>

-- 
Regards,
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule


More information about the Owasp-topten mailing list