Hello Robert!
It's interesting poll and webappsec professionals and experts could be
interested to participate in the poll. But you've selected not appropriate
place for opening the poll.
You've opened it in LinkedIn. That one, which was hacked last year. This is
social network and none of social networks are attending to security. It's
not the place for polls on web applications security topics ;-). Plus I'm
not using LinkedIn and any s.networks at all (and the poll requires
registration in it).
P.S.
I am agree with Phillip's standpoint.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Robert A. robert at webappsec.org
Wed Jan 9 18:35:02 EST 2013
Greetings,
I've added a new poll to the WASC linkedin group that a few of you may be
interested in. Specifically asking how people rank the importance of
vulnerabilities.
Link
http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
Regards,
Robert A.
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org.
The content is interesting, yes, please post the poll outside of social media. Could be able to see the results after completed?
Ron
Ron Munsee, MA, MS, CISSP, PMP, CRISC, MCTS
UMUC - UNIT 15556 - APO AP 96205
82-10-8765-2983 (outside of Korea)
010-8765-2983 (In Korea)
Venice Villa Hyong-Chong dong 272 - Yongsan-Gu, Seoul, 140-120 _____________________________________________
From: mustlive@websecurity.com.ua
To: robert@webappsec.org
Date: Thu, 31 Jan 2013 23:50:01 +0200
CC: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Poll: How do you rank the importance of a vulnerability?
Hello Robert!
It's interesting poll and webappsec professionals and experts could be
interested to participate in the poll. But you've selected not appropriate
place for opening the poll.
You've opened it in LinkedIn. That one, which was hacked last year. This is
social network and none of social networks are attending to security. It's
not the place for polls on web applications security topics ;-). Plus I'm
not using LinkedIn and any s.networks at all (and the poll requires
registration in it).
P.S.
I am agree with Phillip's standpoint.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Robert A. robert at webappsec.org
Wed Jan 9 18:35:02 EST 2013
Greetings,
I've added a new poll to the WASC linkedin group that a few of you may be
interested in. Specifically asking how people rank the importance of
vulnerabilities.
Link
http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
Regards,
Robert A.
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Where would you suggest this poll be held? Keep in mind I have no time to
create or implement a polling application :)
On Thu, 31 Jan 2013, MustLive wrote:
Hello Robert!
It's interesting poll and webappsec professionals and experts could be
interested to participate in the poll. But you've selected not appropriate
place for opening the poll.
You've opened it in LinkedIn. That one, which was hacked last year. This is
social network and none of social networks are attending to security. It's
not the place for polls on web applications security topics ;-). Plus I'm
not using LinkedIn and any s.networks at all (and the poll requires
registration in it).
P.S.
I am agree with Phillip's standpoint.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Robert A. robert at webappsec.org
Wed Jan 9 18:35:02 EST 2013
Greetings,
I've added a new poll to the WASC linkedin group that a few of you may be
interested in. Specifically asking how people rank the importance of
vulnerabilities.
Link
http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
Regards,
Robert A.
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org.
Hi
Some researchers use: survey monkey: www.surveymonkey.com/
Ron
Ron Munsee, MA, MS, CISSP, PMP, CRISC, MCTS
UMUC - UNIT 15556 - APO AP 96205
82-10-8765-2983 (outside of Korea)
010-8765-2983 (In Korea)
Venice Villa Hyong-Chong dong 272 - Yongsan-Gu, Seoul, 140-120
Date: Thu, 31 Jan 2013 17:47:03 -0600
From: robert@webappsec.org
To: mustlive@websecurity.com.ua
CC: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Poll: How do you rank the importance of a vulnerability?
Where would you suggest this poll be held? Keep in mind I have no time to
create or implement a polling application :)
On Thu, 31 Jan 2013, MustLive wrote:
Hello Robert!
It's interesting poll and webappsec professionals and experts could be
interested to participate in the poll. But you've selected not appropriate
place for opening the poll.
You've opened it in LinkedIn. That one, which was hacked last year. This is
social network and none of social networks are attending to security. It's
not the place for polls on web applications security topics ;-). Plus I'm
not using LinkedIn and any s.networks at all (and the poll requires
registration in it).
P.S.
I am agree with Phillip's standpoint.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Robert A. robert at webappsec.org
Wed Jan 9 18:35:02 EST 2013
Greetings,
I've added a new poll to the WASC linkedin group that a few of you may be
interested in. Specifically asking how people rank the importance of
vulnerabilities.
Link
http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
Regards,
Robert A.
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
How about sites like surveymonkey and so?
Sent from BlackBerry® on Airtel
-----Original Message-----
From: "Robert A." robert@webappsec.org
Sender: "websecurity" websecurity-bounces@lists.webappsec.org
Date: Thu, 31 Jan 2013 17:47:03
To: MustLivemustlive@websecurity.com.ua
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Poll: How do you rank the importance of a
vulnerability?
Where would you suggest this poll be held? Keep in mind I have no time to
create or implement a polling application :)
On Thu, 31 Jan 2013, MustLive wrote:
Hello Robert!
It's interesting poll and webappsec professionals and experts could be
interested to participate in the poll. But you've selected not appropriate
place for opening the poll.
You've opened it in LinkedIn. That one, which was hacked last year. This is
social network and none of social networks are attending to security. It's
not the place for polls on web applications security topics ;-). Plus I'm
not using LinkedIn and any s.networks at all (and the poll requires
registration in it).
P.S.
I am agree with Phillip's standpoint.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Robert A. robert at webappsec.org
Wed Jan 9 18:35:02 EST 2013
Greetings,
I've added a new poll to the WASC linkedin group that a few of you may be
interested in. Specifically asking how people rank the importance of
vulnerabilities.
Link
http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
Regards,
Robert A.
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
CVSS is a large step in right direction, away from subjective 1-5 or
Low-High scores, but I still have a large practical problem with how
it's counted. CVSS has one issue that results in typical reports being
flooded by mix of really important and less important vulnerabilities
that will be difficult to distinguis even using CVSS subscores. For
example consider these two examples:
Let's assume sshd is exploitable over network (AV=N). Let's assume
libtiff can be exploited by someone who would need to open a malformed
TIFF - but that would also have AV=N because it's assumed the file is
delivered over network. This is at least how most of these vulns are
classified in Qualys.
Obviously, the real risk is completely different in each case - sshd
just sits there and waits to be exploited, for libtiff you'd need a
rather rare opportunity (someone opening TIFFs on server).
I've once asked CVSS team about this and they replied that this should
be theoretically captured by Access Complexity (AC) - for libtiff it
AC=H (as you need to use social engineering for example), for sshd
AC=L (just go and metasploit over network).
But in real life scores of both vulns will be very similar. At the end
of the day you end up with a report flooded by say 100 issues for each
server, out of which usually all will be like that libtiff. And you
have no way to filter them out to focus on sshd-type vulns because of
how the classification is calculated.
--
Paweł Krawczyk, CISSP
http://ipsec.pl http://echelon.pl
+48 602 776959
On 1/2/2013 at 12:58 AM, "Robert A." wrote:Where would you suggest
this poll be held? Keep in mind I have no time to
create or implement a polling application :)
On Thu, 31 Jan 2013, MustLive wrote:
Hello Robert!
It's interesting poll and webappsec professionals and experts could
be
interested to participate in the poll. But you've selected not
appropriate
place for opening the poll.
You've opened it in LinkedIn. That one, which was hacked last year.
This is
social network and none of social networks are attending to
security. It's
not the place for polls on web applications security topics ;-).
Plus I'm
not using LinkedIn and any s.networks at all (and the poll requires
registration in it).
P.S.
I am agree with Phillip's standpoint.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Robert A. robert at webappsec.org
Wed Jan 9 18:35:02 EST 2013
Greetings,
I've added a new poll to the WASC linkedin group that a few of you
may be
interested in. Specifically asking how people rank the importance
of
vulnerabilities.
Link
Regards,
Robert A.
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I would go for worst case scenario considering the weakest link principle. Also proper threat modelling would be useful to determine scoring for specific vulnerability. For enterprise level product with ideally no exposure to outside network, one might argue that libtiff issue might be of less severity but again it boils down to the context of application in analysis.
-Rohit
From: Paweł Krawczyk pawel.krawczyk@hush.com
To: websecurity@lists.webappsec.org
Sent: Thursday, January 31, 2013 11:00 PM
Subject: Re: [WEB SECURITY] Poll: How do you rank the importance of a vulnerability?
CVSS is a large step in right direction, away from subjective 1-5 or Low-High scores, but I still have a large practical problem with how it's counted. CVSS has one issue that results in typical reports being flooded by mix of really important and less important vulnerabilities that will be difficult to distinguis even using CVSS subscores. For example consider these two examples:
Let's assume sshd is exploitable over network (AV=N). Let's assume libtiff can be exploited by someone who would need to open a malformed TIFF - but that would also have AV=N because it's assumed the file is delivered over network. This is at least how most of these vulns are classified in Qualys.
Obviously, the real risk is completely different in each case - sshd just sits there and waits to be exploited, for libtiff you'd need a rather rare opportunity (someone opening TIFFs on server).
I've once asked CVSS team about this and they replied that this should be theoretically captured by Access Complexity (AC) - for libtiff it AC=H (as you need to use social engineering for example), for sshd AC=L (just go and metasploit over network).
But in real life scores of both vulns will be very similar. At the end of the day you end up with a report flooded by say 100 issues for each server, out of which usually all will be like that libtiff. And you have no way to filter them out to focus on sshd-type vulns because of how the classification is calculated.
--
Paweł Krawczyk, CISSP
http://ipsec.pl http://echelon.pl
+48 602 776959
On 1/2/2013 at 12:58 AM, "Robert A." robert@webappsec.org wrote:
Where would you suggest this poll be held? Keep in mind I have no time to
create or implement a polling application :)
On Thu, 31 Jan 2013, MustLive wrote:
Hello Robert!
It's interesting poll and webappsec professionals and experts could be
interested to participate in the poll. But you've selected not appropriate
place for opening the poll.
You've opened it in LinkedIn. That one, which was hacked last year. This is
social network and none of social networks are attending to security. It's
not the place for polls on web applications security topics ;-). Plus I'm
not using LinkedIn and any s.networks at all (and the poll requires
registration in it).
P.S.
I am agree with Phillip's standpoint.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Robert A. robert at webappsec.org
Wed Jan 9 18:35:02 EST 2013
Greetings,
I've added a new poll to the WASC linkedin group that a few of you may be
interested in. Specifically asking how people rank the importance of
vulnerabilities.
Link
http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
Regards,
Robert A.
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
That’s theory. In practice you usually need to deal with hundreds of servers with tens of vulnerabilities on each. If you treat them all equally, you’ll get stuck forever on fixing libtiff-type issues on the first one, and never touch remote exploits in SSH in the others. That’s why it’s critical to have a way to prioritize these issues by their real risk. Once you’re done with remotes in SSH, you can move to libtiff.
From: Rohit Pitke [mailto:rohirp92@yahoo.com]
Sent: Friday, February 01, 2013 8:35 PM
To: pawel.krawczyk@hush.com; websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Poll: How do you rank the importance of a vulnerability?
I would go for worst case scenario considering the weakest link principle. Also proper threat modelling would be useful to determine scoring for specific vulnerability. For enterprise level product with ideally no exposure to outside network, one might argue that libtiff issue might be of less severity but again it boils down to the context of application in analysis.
-Rohit
From: Paweł Krawczyk < mailto:pawel.krawczyk@hush.com pawel.krawczyk@hush.com>
To: mailto:websecurity@lists.webappsec.org websecurity@lists.webappsec.org
Sent: Thursday, January 31, 2013 11:00 PM
Subject: Re: [WEB SECURITY] Poll: How do you rank the importance of a vulnerability?
CVSS is a large step in right direction, away from subjective 1-5 or Low-High scores, but I still have a large practical problem with how it's counted. CVSS has one issue that results in typical reports being flooded by mix of really important and less important vulnerabilities that will be difficult to distinguis even using CVSS subscores. For example consider these two examples:
remote bug in sshd
bug in libtiff
Let's assume sshd is exploitable over network (AV=N). Let's assume libtiff can be exploited by someone who would need to open a malformed TIFF - but that would also have AV=N because it's assumed the file is delivered over network. This is at least how most of these vulns are classified in Qualys.
Obviously, the real risk is completely different in each case - sshd just sits there and waits to be exploited, for libtiff you'd need a rather rare opportunity (someone opening TIFFs on server).
I've once asked CVSS team about this and they replied that this should be theoretically captured by Access Complexity (AC) - for libtiff it AC=H (as you need to use social engineering for example), for sshd AC=L (just go and metasploit over network).
But in real life scores of both vulns will be very similar. At the end of the day you end up with a report flooded by say 100 issues for each server, out of which usually all will be like that libtiff. And you have no way to filter them out to focus on sshd-type vulns because of how the classification is calculated.
--
Paweł Krawczyk, CISSP
http://ipsec.pl http://ipsec.pl http://echelon.pl http://echelon.pl
+48 602 776959
On 1/2/2013 at 12:58 AM, "Robert A." < mailto:robert@webappsec.org robert@webappsec.org> wrote:
Where would you suggest this poll be held? Keep in mind I have no time to
create or implement a polling application :)
On Thu, 31 Jan 2013, MustLive wrote:
Hello Robert!
It's interesting poll and webappsec professionals and experts could be
interested to participate in the poll. But you've selected not appropriate
place for opening the poll.
You've opened it in LinkedIn. That one, which was hacked last year. This is
social network and none of social networks are attending to security. It's
not the place for polls on web applications security topics ;-). Plus I'm
not using LinkedIn and any s.networks at all (and the poll requires
registration in it).
P.S.
I am agree with Phillip's standpoint.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua http://websecurity.com.ua
Robert A. robert at http://webappsec.org/ webappsec.org
Wed Jan 9 18:35:02 EST 2013
Greetings,
I've added a new poll to the WASC linkedin group that a few of you may be
interested in. Specifically asking how people rank the importance of
vulnerabilities.
Link
http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840 http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
Regards,
Robert A.
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org http://www.webappsec.org.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates http://twitter.com/wascupdates
mailto:websecurity@lists.webappsec.org websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I feel the DREAD rating system is flexible enough to accomodate most edgecases while providing a solid base rating system for vulnerabilities categorically:
http://en.wikipedia.org/wiki/DREAD:_Risk_assessment_model
--- On Sat, 2/2/13, Paweł Krawczyk pawel.krawczyk@hush.com wrote:
From: Paweł Krawczyk pawel.krawczyk@hush.com
Subject: Re: [WEB SECURITY] Poll: How do you rank the importance of a vulnerability?
To: websecurity@lists.webappsec.org
Date: Saturday, February 2, 2013, 11:17 AM
That’s theory. In practice you usually need to deal with hundreds of servers with tens of vulnerabilities on each. If you treat them all equally, you’ll get stuck forever on fixing libtiff-type issues on the first one, and never touch remote exploits in SSH in the others. That’s why it’s critical to have a way to prioritize these issues by their real risk. Once you’re done with remotes in SSH, you can move to libtiff. From: Rohit Pitke [mailto:rohirp92@yahoo.com]
Sent: Friday, February 01, 2013 8:35 PM
To: pawel.krawczyk@hush.com; websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Poll: How do you rank the importance of a vulnerability? I would go for worst case scenario considering the weakest link principle. Also proper threat modelling would be useful to determine scoring for specific vulnerability. For enterprise level product with ideally no exposure to outside network, one might argue that libtiff issue might be of less severity but again it boils down to the context of application in analysis. -Rohit From: Paweł Krawczyk pawel.krawczyk@hush.com
To: websecurity@lists.webappsec.org
Sent: Thursday, January 31, 2013 11:00 PM
Subject: Re: [WEB SECURITY] Poll: How do you rank the importance of a vulnerability?
CVSS is a large step in right direction, away from subjective 1-5 or Low-High scores, but I still have a large practical problem with how it's counted. CVSS has one issue that results in typical reports being flooded by mix of really important and less important vulnerabilities that will be difficult to distinguis even using CVSS subscores. For example consider these two examples:
Let's assume sshd is exploitable over network (AV=N). Let's assume libtiff can be exploited by someone who would need to open a malformed TIFF - but that would also have AV=N because it's assumed the file is delivered over network. This is at least how most of these vulns are classified in Qualys. Obviously, the real risk is completely different in each case - sshd just sits there and waits to be exploited, for libtiff you'd need a rather rare opportunity (someone opening TIFFs on server). I've once asked CVSS team about this and they replied that this should be theoretically captured by Access Complexity (AC) - for libtiff it AC=H (as you need to use social engineering for example), for sshd AC=L (just go and metasploit over network). But in real life scores of both vulns will be very similar. At the end of the day you end up with a report flooded by say 100 issues for each server, out of which usually all will be like that libtiff. And you
have no way to filter them out to focus on sshd-type vulns because of how the classification is calculated.
--
Paweł Krawczyk, CISSP
http://ipsec.pl http://echelon.pl
+48 602 776959
On 1/2/2013 at 12:58 AM, "Robert A." robert@webappsec.org wrote:Where would you suggest this poll be held? Keep in mind I have no time to
create or implement a polling application :)
On Thu, 31 Jan 2013, MustLive wrote:
Hello Robert!
It's interesting poll and webappsec professionals and experts could be
interested to participate in the poll. But you've selected not appropriate
place for opening the poll.
You've opened it in LinkedIn. That one, which was hacked last year. This is
social network and none of social networks are attending to security. It's
not the place for polls on web applications security topics ;-). Plus I'm
not using LinkedIn and any s.networks at all (and the poll requires
registration in it).
P.S.
I am agree with Phillip's standpoint.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Robert A. robert at webappsec.org
Wed Jan 9 18:35:02 EST 2013
Greetings,
I've added a new poll to the WASC linkedin group that a few of you may be
interested in. Specifically asking how people rank the importance of
vulnerabilities.
Link
http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
Regards,
Robert A.
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-----Inline Attachment Follows-----
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Robert!
For such purposes I use my own web application MLVote ;-). Which I've
developed in 2002 and used at some of my sites. In your case, when you have
no own polling webapp and don't want to create such one, there are two ways:
use existent web application (at your own site) or use online service (at
web site of this service).
There are many such online services, so you can find suitable one. Guys have
recommended surveymonkey.com, so look at it (I heard about it). This service
has free tariff plan, which will be enough for this poll.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: "Robert A." robert@webappsec.org
To: "MustLive" mustlive@websecurity.com.ua
Cc: websecurity@lists.webappsec.org
Sent: Friday, February 01, 2013 1:47 AM
Subject: Re: [WEB SECURITY] Poll: How do you rank the importance of a
vulnerability?
Where would you suggest this poll be held? Keep in mind I have no time to
create or implement a polling application :)
On Thu, 31 Jan 2013, MustLive wrote:
Hello Robert!
It's interesting poll and webappsec professionals and experts could be
interested to participate in the poll. But you've selected not
appropriate
place for opening the poll.
You've opened it in LinkedIn. That one, which was hacked last year. This
is
social network and none of social networks are attending to security.
It's
not the place for polls on web applications security topics ;-). Plus I'm
not using LinkedIn and any s.networks at all (and the poll requires
registration in it).
P.S.
I am agree with Phillip's standpoint.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Robert A. robert at webappsec.org
Wed Jan 9 18:35:02 EST 2013
Greetings,
I've added a new poll to the WASC linkedin group that a few of you may
be
interested in. Specifically asking how people rank the importance of
vulnerabilities.
Link
http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
Regards,
Robert A.
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org