[Owasp-leaders] OWASP Top 10 Methodology

marco.m.morana at gmail.com marco.m.morana at gmail.com
Tue Mar 5 20:26:52 UTC 2013


Not sure this will bring the discussion toward a more scientific approach of risk analysis to determine top ten risks. One possible approach is to consider the probability of threats affecting assets by exploit of unmitigated vulnerabilities. This probability can be determined based upon a relationship between threats, assets and vulnerabilities. To factor the probability of a threat you need to consider a security ontology such as NIST SP 800 and model the relationships between assets , threats, vulnerabilities and controls/countermeasures. I think we have this on OWASP T10 as relationship of threat agent x vulnerability x impact on assets but we do not factor threat agent probabilities based upon a)  mitigated vulnerability (lack of control) b) control effectiveness, c) attacker probability as factor of motivation and capability d) accidental threats and e) previous threats (threat history). By modeling these factors and by weighting them with a statistical model is possible to determine the probability of threats to exploit vulnerabilities to cause impacts on assets. Threat asset probabilities can be calculated using statistical methods such as Bayesian methods that a dealt within the papers herein (*). It would be interesting to use these formal methods to find the threat probability to exploit OWASP T10 for certain type of inherent risks of assets (High Medium and Low) assuming the vulnerabilities are unmitigated (conservative approach). Perhaps this can be an OWASP project worth considering sponsorship ?

(*)
http://publik.tuwien.ac.at/files/PubDat_172057.pdf
http://www.csiir.ornl.gov/csiirw/09/CSIIRW09-Proceedings/Abstracts/Neubauer-abstract.pdf

Regards
Marco M.



Sent from my iPad

On 5 Mar 2013, at 19:40, "Paweł Krawczyk" <pawel.krawczyk at hush.com> wrote:

> On 5/3/2013 at 7:16 PM, "Dennis Groves" <dennis.groves at owasp.org> wrote:
> 
> But we have never been able to predict if any **specific individual** 
> will purchase the banana.
> 
> I'm not sure if these analogies will take us anywhere useful. I think at the maturity level of our industry it's already extremely useful to know that apps having feature Y are more frequently hacked than Z. Which then allows you to make specific decisions about training budget for the next year, or security testing priorities. Or, more precisely, convince those who hold money that that they should be spent and what they should be spent for - for example, that it makes sense to spend $20k for pentesting of an application that is threatened with $10m fine from FSA in case of compromise, rather than a internal desk booking application. Most people can build those arguments intuitively, but I can see it's time to move to another level - and start quantifying things.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/3291f425/attachment-0001.html>


More information about the OWASP-Leaders mailing list