OWASP Shortcomings

  • A lot of effort goes into classifying each vulnerability; Business impact requires undertanding of the organization and communication with clients
  • A lot of standards do not use it. For example, PCI-DSS uses CVSS
  • Informal methods measure business impact and factors in the consultant's understanding of the business and expertise. But, consultancies might find it difficult to justify the ratings to clients; Very opinionated
  • CVSS does not take into account the importance of a given asset. It’s entirely possible that a medium vulnerability on a mission critical server should be remediated before a critical vulnerability on the guest check-in kiosk in the lobby of your corporate headquarters.

Resources: A Case Against CVSS: Vulnerability Management Done Wrong | by Henry Howland | Medium