[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-testing
Subject: Re: [Owasp-testing] CVSS v2
From: Christian Heinrich <christian.heinrich () cmlh ! id ! au>
Date: 2013-05-11 2:25:33
Message-ID: CAGKxTUSm262uxh5Q-zUEqKfr7A3z3E5ijx_WJ6mDtQJC1mD2Cg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Colin,
On Fri, May 10, 2013 at 5:18 PM, Colin Watson <colin.watson@owasp.org>wrote:
> Very useful points and references, which I don't disagree with.
>
I also presented http://www.slideshare.net/cmlh/cvss from 2006 and as part
of this research considered the published minutes of the FIRST SIG
conference calls during the development of CVSSv2.
As I have stated previously, the issues identified within
http://www.slideshare.net/cmlh/cvss are being addressed by the FIRST
CVSS-SIG for CVSSv3.
On Fri, May 10, 2013 at 5:18 PM, Colin Watson <colin.watson@owasp.org>
wrote:
>
> For custom-built web applications, which I think was the original
> question, I would personally not use CVSS2. I am keeping my eyes on
> CWRAF and CWSS:
>
> http://cwe.mitre.org/cwraf/
>
I include CWRAF as a recommendation in the Executive Brief since I believe
the risk management function of the business is better at measuring their
residual risk when acting as the external independent auditor.
Also, you may still be able to locate CVE(s) of the published API(s) since
developer tends to reuse API(s) in the development of multiple web
applications. Hence, it may still possible to quote the CVSS Base Score in
the deliverable as part of encouraging the business to leverage CWRAF.
--
Regards,
Christian Heinrich
http://cmlh.id.au/contact
[Attachment #5 (text/html)]
Colin,<div><br></div><div><div class="gmail_quote">On Fri, May 10, 2013 at 5:18 PM, \
Colin Watson <span dir="ltr"><<a href="mailto:colin.watson@owasp.org" \
target="_blank">colin.watson@owasp.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Very useful points and references, which I don't \
disagree with.<br></blockquote><div><br></div><div>I also presented <a \
href="http://www.slideshare.net/cmlh/cvss">http://www.slideshare.net/cmlh/cvss</a> \
from 2006 and as part of this research considered the published minutes of the FIRST \
SIG conference calls during the development of CVSSv2.</div> <div><br></div><div>As I \
have stated previously, the issues identified within <a \
href="http://www.slideshare.net/cmlh/cvss">http://www.slideshare.net/cmlh/cvss</a> \
are being addressed by the FIRST CVSS-SIG for CVSSv3.</div> <div><br></div>On Fri, \
May 10, 2013 at 5:18 PM, Colin Watson <span dir="ltr"><<a \
href="mailto:colin.watson@owasp.org" \
target="_blank">colin.watson@owasp.org</a>></span> wrote:<blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
For custom-built web applications, which I think was the original<br>
question, I would personally not use CVSS2. I am keeping my eyes on<br>
CWRAF and CWSS:<br>
<br>
<a href="http://cwe.mitre.org/cwraf/" \
target="_blank">http://cwe.mitre.org/cwraf/</a><br></blockquote></div><div><br></div><div>I \
include CWRAF as a recommendation in the Executive Brief since I believe the risk \
management function of the business is better at measuring their residual risk when \
acting as the external independent auditor.</div> <div><br></div><div>Also, you may \
still be able to locate CVE(s) of the published API(s) since developer tends to reuse \
API(s) in the development of multiple web applications. Hence, it may still possible \
to quote the CVSS Base Score in the deliverable as part of encouraging the business \
to leverage CWRAF.</div> <div><br></div><div><br></div><div><br></div>-- \
<br>Regards,<br>Christian Heinrich<br><br><a href="http://cmlh.id.au/contact" \
target="_blank">http://cmlh.id.au/contact</a> </div>
_______________________________________________
Owasp-testing mailing list
Owasp-testing@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic