I aim at prioritizing vulnerability patching for web and REST applications . Since web application vulnerabilities do not have severity scores assigned like done for vulnerabilities (CVEs are assigned CVSS) i thought of using OWASP top 10 2017 as a measurement yard-stick. One possibility is to employ a scale of 1-10 such that vulnerabilities with CWEs within A1 are assigned/scored 10 and A6 are assigned 5, I am not sure of the appropriateness of this method. Another method is to use CWSS, (see attached picture for example) i.e. using prevalence scores, however CWSS seems to be rarely used in research and industry. A third approach is to score vulnerabilities with CVSS, which is more popularly used. Does anyone have experiences to share?
I would suggest first using CVSS and then CWSS. Then compare the scores and hopefully you will be able to make the right decision.
Hi Awad,
many thanks for your advice, I will try "the combined approach" and see how it turns out.
regards..
Kennedy
- Badges
- Science topic
- Similar topics
- Biological Science
- Bioecology
- Systems Ecology
- Landscape Ecology
- Connectivity