[Owasp-topten] WASC Threat Classification v2.0

robert at webappsec.org robert at webappsec.org
Sat Jan 2 05:45:04 EST 2010


> 

I wasn't trying to get into a debate about them, merely that we're not covering it in this wasc project :)



> Robert,
> 
> Impact and Severity refer to the same quality of a residual risk.
> 
> On Sat, Jan 2, 2010 at 1:48 PM,  <robert at webappsec.org> wrote:
> > Thanks for the free spammage tom :) I just wanted to add that the WASC TC=
>  does not
> > attempt to implement 'risks' or 'severities' in this release. We will be =
> adding impacts
> > and mitigations to future releases but we're staying clear of risk/severi=
> ty intentionally :)
> >
> > Thanks
> > - Robert
> >
> >>
> >> To add to the thread... =A0re: OWASP Top 10
> >>
> >> Released today: WASC Threat Classification v2.0 led by Robert Auger
> >>
> >> http://projects.webappsec.org/Threat-Classification
> >>
> >>
> >> Tom Brennan
> >> http://www.linkedin.com/in/tombrennan
> >> (973) 506-9303
> >>
> >>
> >>
> >> On Fri, Jan 1, 2010 at 5:18 AM, Christian Heinrich
> >> <christian.heinrich at owasp.org> wrote:
> >> > Dave,
> >> >
> >> > The sampling methodology would be to sort the vulnerabilities based on
> >> > prevalence and then select those of high severity in order of
> >> > prevalence.
> >> >
> >> > WASC provide CVSSv2 Base (i.e. severity) metrics for each webappsec
> >> > vulnerability.
> >> >
> >> > On Fri, Jan 1, 2010 at 2:21 AM, Dave Wichers
> >> > <dave.wichers at aspectsecurity.com> wrote:
> >> >> On the leaders list you might have seen some discussion of working wi=
> th
> >> >> Facebook and they seem receptive but time will tell.
> >> >>
> >> >> Let's see how that plays out.
> >> >>
> >> >> And I've said before, I don't think rating the top 10 on severity onl=
> y,
> >> >> is a good idea. The last top 10 rated them on prevalence only. And we
> >> >> need to account for both, not just one or the other.
> >> >>
> >> >> -Dave
> >> >
> >> >
> >> > --
> >> > Regards,
> >> > Christian Heinrich - http://sn.im/cmlh_linkedin_profile
> >> > OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> >> > Speaking Schedule at http://sn.im/cmlh_speaking_schedule
> >> > _______________________________________________
> >> > Owasp-topten mailing list
> >> > Owasp-topten at lists.owasp.org
> >> > https://lists.owasp.org/mailman/listinfo/owasp-topten
> >> >
> >> _______________________________________________
> >> Owasp-topten mailing list
> >> Owasp-topten at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-topten
> >>
> >
> > _______________________________________________
> > Owasp-topten mailing list
> > Owasp-topten at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-topten
> >
> 
> -- =
> 
> Regards,
> Christian Heinrich - http://sn.im/cmlh_linkedin_profile
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> Speaking Schedule at http://sn.im/cmlh_speaking_schedule
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
> 



More information about the Owasp-topten mailing list