[Owasp-topten] Re: OWASP Top Ten - My Case For Updating It
Achim Hoffmann
kirke11 at securenet.de
Fri Jul 15 02:25:15 EDT 2005
On Fri, 15 Jul 2005, Nigel Evans wrote:
!! It really depends on what the purpose is. There is only one way to do
!! information security and that's properly starting with risk exposures
!! for the circumstances of use. However, helping people identify risks is
!! useful, these 'risks' are really events and don't become risks until you
!! find that the consequences of the event are unacceptable, ie after risk
!! analysis.
!!
!! The way I see it is that if the purpose is to help in risk
!! identitification then a list of 'common exploitable flaws' is useful.
!! Of course it's quick and dirty, open to abuse (ie used without proper
!! risk assessement) and under no circumstances should it be confused with
!! risk management. However, associated with 'common exploitable flaws'
!! could be 'good design and programing practices'.
!!
!! Nigel
just to complete my previous posting:
the risk is what the people responsible for an application have to evaluate
you cannot make a genral list of risks, risk is a combination of
= threats + vulnerability in application + liklehood someone manages to
apply an attack pattern against the vulnerability + worth of service
(where "worth of service" is anything you can lose like money, property,
confidence, reputation)
Depending on what you application serves, and what content it manages, the
"top ten" list of risks varys. Threads don't vary because they are always
there, and vulnerabilities are only there as long as not fixed.
IMHO the risk can not be defined in a list like the one we're talking about.
The risk is a complicated value, computed from some others. That's why I
suggested to think about a matrix.
{-: Achim
More information about the Owasp-topten
mailing list