[Owasp-board] OWASP Project - Security Vulnerability Contextualization Framework

Dave Wichers dave.wichers at owasp.org
Wed Dec 17 20:00:20 UTC 2008


I really think the risk rating methodology is what you are looking for. Its
just a methodology, so you might want to get create some worked examples
using whatever likelihood and impact factors you want to consider as an
example of how to use this methodology to calculate what you are trying to
figure out and document.

 

-Dave

 

From: Rafal @ IsHackingYou.com [mailto:rafal at ishackingyou.com] 
Sent: Wednesday, December 17, 2008 2:06 PM
To: Dave Wichers; paulo.coimbra at owasp.org
Cc: 'OWASP Foundation Board List';
global_tools_and_project_committee at lists.owasp.org
Subject: Re: [Owasp-board] OWASP Project - Security Vulnerability
Contextualization Framework

 

Dave, Jeff and everyone else that's responded,

 

    First off, thanks for the quick reply.  Second - the closest project to
what I'm thinking of doing is the one Dave recommended below - although it's
not *quite* what I'm thinking.

 

    My problem is this, I work for HP App Sec Center (formerly SPI Dynamics)
and like everyone else our vuln scanner and tools have
"Critical/High/Medium/Low/etc" ratings for things like SQL Injection, XSS
and other flaws... but those are developed in a vacuum.  The question
becomes how do you add CONTEXT to a vulnerability like SQLi to make it a
realistic rating.  "Critical" isn't always critical, there are at least 3-4
factors that I think should make up the "context" of a vulnerability (and
I'm writing a paper on one of the main ones)... so if you guys think that
the Risk Rating Methodology is appropriate, so be it, I'll join that
effort... otherwise I'll pursue this idea in a separate project.  I'm open
to suggestion.

 

    I am envisioning this being a rather concise framework/reference... in a
"workbook" format.  Take all the vulns you have, plot them using this
(hopefully) simple method, and they'll end up with a place on a chart which
will then help you figure out what the "real risk rating" actually is... I
was hoping to turn it into a java-based tool that'll actually walk you
through these steps in a semi-automated fashion... (I'd love to grab someone
who can actually program, whereas I cannot, heh).

 

Thoughts?


__
Rafal M. Los
IT Security - Response | Mitigation | Strategy

 

E-mail:  rafal at ishackingyou.com
Direct:  +1 (404) 606-6056
 - gPGP:      0xFFC63B33
 - Blog:         http://preachsecurity.blogspot.com
 - LinkedIn:  http://www.linkedin.com/in/rmlos

From: Dave <mailto:dave.wichers at owasp.org>  Wichers 

Sent: Wednesday, December 17, 2008 8:03 AM

To: paulo.coimbra at owasp.org ; 'Rafal <mailto:rafal at ishackingyou.com>  Los' 

Cc: 'OWASP <mailto:owasp-board at lists.owasp.org>  Foundation Board List' ;
global_tools_and_project_committee at lists.owasp.org 

Subject: RE: [Owasp-board] OWASP Project - Security Vulnerability
Contextualization Framework

 

Rafal,

 

Have you looked at:
http://www.owasp.org/index.php/How_to_value_the_real_risk

 

Seems like what you are interested in should either use, or potentially
extend this work. This work was done mostly by Jeff Williams where it
started off as a standalone methodology. It has now become part of the
Testing Guide, and probably belongs as a chapter in the Code Review and
Development Guides as well.

 

-Dave

 

From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Paulo Coimbra
Sent: Wednesday, December 17, 2008 7:57 AM
To: 'Rafal Los'
Cc: 'OWASP Foundation Board List';
global_tools_and_project_committee at lists.owasp.org
Subject: Re: [Owasp-board] OWASP Project - Security Vulnerability
Contextualization Framework

 

Hello Rafal,

 

Thank you very much for supporting our community. Your contribution is
certainly most welcomed. 

 

I am forwarding your question to our OWASP
<https://www.owasp.org/index.php/Global_Projects_and_Tools_Committee>
Global Projects and Tools Committee. After having their feedback, I will
either add you to an existent project or set up a new project page for you
to assume as project leader.

 

Meanwhile, I suggest glancing at our Assessment
<https://www.owasp.org/index.php/Category:OWASP_Project_Assessment>
Criteria which states the path each OWASP project ought to do so as to reach
Release Quality status.

 

Many thanks, best regards,

 

Paulo Coimbra,

OWASP <https://www.owasp.org/index.php/Main_Page>  Project Manager

 

From: Rafal Los [mailto:rafal at ishackingyou.com] 
Sent: quarta-feira, 17 de Dezembro de 2008 08:00
To: paulo.coimbra at owasp.org
Subject: OWASP Project - Security Vulnerability Contextualization Framework

 

Paulo,
  At the last OWASP in NYC, I was speaking with Tom Brennan and some of the
folks there and one of the things that's very difficult to come by is a set
of "standards", or perhaps a framework for providing context around a web
application security vulnerability.  I think this would be a wonderful
project to kick off (if it already doesn't exist) as I think coming up with
a standard way of looking at a vulnerability to determine context and thus
an actual "Severity Rating" is critical to helping analysts be consistent.
  The question everyone asks - when is Critical Not?  In my blog post (here:
http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2008/10/3
1/risk-rating-when-is-critical-not.aspx) I start the discussion, and I have
had great feedback as well... the next logical step for me is to move this
discussion forward by writing up a formal framework for "contextualizing
security defects" to more accurately address vulnerabilities as risks.

  If such a project already exists, please add me to it, if possible, if not
- I would like to propose it and move forward.

Cheers.


  _____  


Rafal (Ralph) M. Los
IT Security - Response | Mitigation | Strategy
E-mail:  rafal at ishackingyou.com
Direct:  +1 (404) 606-6056
 - gPGP:    0xFFC63B33
 - Blog:    http://preachsecurity.blogspot.com
<http://preachsecurity.blogspot.com/> 
 - Web:     http://www.ishackingyou.com <http://www.ishackingyou.com/> 
 - LinkedIn:http://www.linkedin.com/in/rmlos


  _____  


You live life online. So we put Windows on the web. Learn
<http://clk.atdmt.com/MRT/go/127032869/direct/01/>  more about Windows Live 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20081217/9431f4f9/attachment-0002.html>


More information about the Owasp-board mailing list