[Owasp-leaders] OWASP Top 10 Methodology

Dennis Groves dennis.groves at owasp.org
Tue Mar 5 16:38:52 UTC 2013

On 5 Mar 2013, at 14:33, Dave Wichers wrote:

> The likelihood that an attacker would successfully attack the 
> application given this vulnerability.

Please tell me how you can predict an attackers behaviour based on a 
technical vulnerability…
I am certain you will win nobel prise in social psychology!  :-)

> I could imagine some attack metrics only measure attempts to attack 
> (like random DOSing, or random attempts at SQL injection/XSS) but 
> don't or can't measure the number of actually successful attacks.

These are not metrics; this is counting. Metrics require you to 
understand your margin of error or uncertainty of the measurement; this 
is known as confidence. We have zero confidence.

This is no different than counting banana's at the supermarket and then 
attempting to predict how likely a person is to purchase a banana from 
fruit section of the supermarket based on the number of bananas!

Look, I am being completely serious here - I know we have a very 
difficult problem that we are all attempting to solve, and that 
everybody is putting in best efforts; but I seriously think with all our 
world class talent; we can do much better than counting bananas. :-)

[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer

More information about the OWASP-Leaders mailing list