Bandit: Severity and Confidence Definitions

Hello,
I am using Bandit and was wondering how do you define your severity and confidence levels? In other words, what makes a High severity a vulnerability High instead of Medium or Low? How do you define the confidence of the finding?
Thank you in advance for the information, Trevor Bidhadar
(631)-759-3960 Project Coordinator Secure Decisions div. of Applied Visions, Inc. 6 Bayview Avenue Northport, NY 11768 www.SecureDecisions.comhttp://www.securedecisions.com/

On Wed, Feb 6, 2019 at 11:56 PM Trevor Bidhadar < Trevor.Bidhadar@securedecisions.com> wrote:
Hello,
I am using Bandit and was wondering how do you define your severity and confidence levels? In other words, what makes a High severity a vulnerability High instead of Medium or Low? How do you define the confidence of the finding?
It's based on OWASP's Risk Rating, see the following:
https://www.owasp.org/index.php/OWASP_Risk_Rating#Step_4:_Determining_the_Se...
Thank you in advance for the information,
Trevor Bidhadar
(631)-759-3960
*Project Coordinator*
*Secure Decisions div. of Applied Visions, Inc.*
*6 Bayview Avenue*
*Northport, NY 11768*
*www.SecureDecisions.com http://www.securedecisions.com/*
code-quality mailing list code-quality@python.org https://mail.python.org/mailman/listinfo/code-quality

We might want to explain this in the documentation
Sent from my phone with my typo-happy thumbs. Please excuse my brevity
On Wed, Feb 6, 2019, 20:10 Luke Hinds <lhinds@redhat.com wrote:
On Wed, Feb 6, 2019 at 11:56 PM Trevor Bidhadar < Trevor.Bidhadar@securedecisions.com> wrote:
Hello,
I am using Bandit and was wondering how do you define your severity and confidence levels? In other words, what makes a High severity a vulnerability High instead of Medium or Low? How do you define the confidence of the finding?
It's based on OWASP's Risk Rating, see the following:
https://www.owasp.org/index.php/OWASP_Risk_Rating#Step_4:_Determining_the_Se...
Thank you in advance for the information,
Trevor Bidhadar
(631)-759-3960
*Project Coordinator*
*Secure Decisions div. of Applied Visions, Inc.*
*6 Bayview Avenue*
*Northport, NY 11768*
*www.SecureDecisions.com http://www.securedecisions.com/*
code-quality mailing list code-quality@python.org https://mail.python.org/mailman/listinfo/code-quality
-- Luke Hinds | CTO Office | Red Hat e: lhinds@redhat.com | irc: lhinds @freenode | t: +44 12 52 36 2483 _______________________________________________ code-quality mailing list code-quality@python.org https://mail.python.org/mailman/listinfo/code-quality

Sounds like a good idea. @Trevor would you like to create an issue and make a pull request.
On Thu, 7 Feb 2019, 02:11 Ian Stapleton Cordasco <graffatcolmingov@gmail.com wrote:
We might want to explain this in the documentation
Sent from my phone with my typo-happy thumbs. Please excuse my brevity
On Wed, Feb 6, 2019, 20:10 Luke Hinds <lhinds@redhat.com wrote:
On Wed, Feb 6, 2019 at 11:56 PM Trevor Bidhadar < Trevor.Bidhadar@securedecisions.com> wrote:
Hello,
I am using Bandit and was wondering how do you define your severity and confidence levels? In other words, what makes a High severity a vulnerability High instead of Medium or Low? How do you define the confidence of the finding?
It's based on OWASP's Risk Rating, see the following:
https://www.owasp.org/index.php/OWASP_Risk_Rating#Step_4:_Determining_the_Se...
Thank you in advance for the information,
Trevor Bidhadar
(631)-759-3960
*Project Coordinator*
*Secure Decisions div. of Applied Visions, Inc.*
*6 Bayview Avenue*
*Northport, NY 11768*
*www.SecureDecisions.com http://www.securedecisions.com/*
code-quality mailing list code-quality@python.org https://mail.python.org/mailman/listinfo/code-quality
-- Luke Hinds | CTO Office | Red Hat e: lhinds@redhat.com | irc: lhinds @freenode | t: +44 12 52 36 2483 _______________________________________________ code-quality mailing list code-quality@python.org https://mail.python.org/mailman/listinfo/code-quality
participants (3)
-
Ian Stapleton Cordasco
-
Luke Hinds
-
Trevor Bidhadar