I aim at prioritizing vulnerability patching for web and REST applications . Since web application vulnerabilities do not have severity scores assigned like done for vulnerabilities (CVEs are assigned CVSS) i thought of using OWASP top 10 2017 as a measurement yard-stick. One possibility is to employ a scale of 1-10 such that vulnerabilities with CWEs within A1 are assigned/scored 10 and A6 are assigned 5, I am not sure of the appropriateness of this method. Another method is to use CWSS, (see attached picture for example) i.e. using prevalence scores, however CWSS seems to be rarely used in research and industry. A third approach is to score vulnerabilities with CVSS, which is more popularly used. Does anyone have experiences to share?

More Kennedy Torkura's questions See All
Similar questions and discussions