[Owasp-leaders] OWASP Top 10 Methodology

Paweł Krawczyk pawel.krawczyk at hush.com
Tue Mar 5 19:06:42 UTC 2013

On 5/3/2013 at 4:41 PM, "Dennis Groves"  wrote:
On 5 Mar 2013, at 14:33, Dave Wichers wrote:

> The likelihood that an attacker would successfully attack the 
> application given this vulnerability.

Please tell me how you can predict an attackers behaviour based on a 
technical vulnerability…
I am certain you will win nobel prise in social psychology!  :-)
But companies have been doing that for years. Cyber attacks are large
number of actions performed by independent inviduals, which makes then
good candidate for statistical analysis. If you can do this for
ketchup sales (like Heinz did http://goo.gl/Cdc7D) I don't see a
reason why we couldn't do that for web aplication attacks. 
Common argument is that "we do not have enough data" but it's not
true. We probably do not have plenty of very good data, but definitely
we have enough data to make at least basic quantitative reasoning. And
even simplest quantitative reasoning is better than multiplying apples
by oranges, and saying "it's high" in the end, as it's often done in
qualitative risk analysis.
We have a lot of very interesting data (most of it listed here
https://owasp.org/index.php/Top_10_2013/ProjectMethodology), that can
be classified as follows:

	*vulnerability prevalence data from high profile applications (from
scanners and pentesting),	*incident statistics for mass defacements of
low profile web sites (Zone-H),	*incident statistics for selected
high-profile web sites and applications (Imperva, WHID)

The fact that all these numbers do not match each other is not an
inconsistence or proof of poor data quality, but a very interesting
natural observation by itself. If most prevalent vulnerabilities are
not the most frequently exploited ones, it's already very useful
information and tells us a lot about the "economics of hacking". We
just need to extract these facts and interpret them properly,
according to the data we have. It's not as trivial as running
AVERAGE() in Excel, but it can be done. And if we don't get it right
in the first time, someone will surely come up and correct us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/bec2e02c/attachment.html>

More information about the OWASP-Leaders mailing list