What risk rating scale to use?
MarcinHoppe opened this issue · comments
The OWASP Top 10 project uses the OWASP Risk Rating Methodology to rank risks on the list.
It looks like a good idea for the Serverless Top 10 project as well. I feel use of this risk rating scale needs to be explicitly evaluated for fit in the serverless context and clearly stated in the final report.
If we reach a consensus that this is a good risk rating scale, we can evaluate OWASP Top 10 risks in the serverless context, replacing the Serverless Risk Meter
from the original report.