Open StefanDziwok opened 3 years ago
bob5ec
commented
3 years ago Who is scoring vulnerabilities? The tools do it. When they found a bug: Fix it. If not treat it as false positive. No need to start the endless endeavor of scoring vulnerabilities.
StefanDziwok
commented
3 years ago @bob5ec The idea is to use the scoring to prioritze your work and to have arguments towards your fellow developer team mates or your product owner.
Moreover, I do not agree that only tools score. If you find a vulnerability using a manuel code review, then CVSS helps you to prioritize it. Though, we already discussed in the meeting that it is not the only metric as it does not cover your domain and your customers needs.
bob5ec
commented
3 years ago That's why I wrote only tools score. If people do, they start arguing instead of fixing.
mvollmary
commented
3 years ago The idea is to add an note in Treatment of Vulnerabilities With Severity High or Higher, that if the tools doesn't rank a finding or you have a manual finding, you should use a CVSS calculator to rank the finding.
StefanDziwok
commented
3 years ago The idea is to add an note in Treatment of Vulnerabilities With Severity High or Higher, that if the tools doesn't rank a finding or you have a manual finding, you should use a CVSS calculator to rank the finding.
This was the consensus of the participants of todays meeting.
Add as activity in https://github.com/AppSecure-nrw/security-belts/blob/master/green/treatment-of-vulnerabilities-with-severity-high-or-higher.md