On Wed, Feb 6, 2019 at 11:56 PM Trevor Bidhadar <Trevor.Bidhadar@securedecisions.com> wrote:

Hello,

I am using Bandit and was wondering how do you define your severity and confidence levels? In other words, what makes a High severity a vulnerability High instead of Medium or Low? How do you define the confidence of the finding?

It's based on OWASP's Risk Rating, see the following:

https://www.owasp.org/index.php/OWASP_Risk_Rating#Step_4:_Determining_the_Severity_of_the_Risk

Thank you in advance for the information,

Trevor Bidhadar

(631)-759-3960

Project Coordinator

Secure Decisions div. of Applied Visions, Inc.

6 Bayview Avenue

Northport, NY 11768

www.SecureDecisions.com

_______________________________________________
code-quality mailing list
code-quality@python.org
https://mail.python.org/mailman/listinfo/code-quality

Luke Hinds | CTO Office | Red Hat
e: lhinds@redhat.com | irc: lhinds @freenode | t: +44 12 52 36 2483