[Owasp-leaders] OWASP Top 10 Methodology

Paweł Krawczyk pawel.krawczyk at hush.com
Tue Mar 5 21:17:27 UTC 2013

Marco, these are very interesting papers - thanks for them I haven't
seen these but I have around 10 other papers on application fault
trees that I've found on Scholar and/or purchased over the last year
when trying to understand that topic. Some of them build models for
web applications, but the best ones were on SCADA. No problem to share
them on fair use basis if anyone is interested.
There's a slight problem with them - they all focus on developing a
theoretical model and stop at this point, without actually trying to
apply it to the real world. They might be missing the data that we
have it, so making this an OWASP project would make sense. We
definitely need someone with strong scientific background in the team
- we might actually talk to authors of these papers if they are
 Paweł Krawczyk, CISSP
 http://ipsec.pl http://echelon.pl
 +48 602 776959

On 5/3/2013 at 8:27 PM, marco.m.morana at gmail.com wrote:Not sure this
will bring the discussion toward a more scientific approach of risk
analysis to determine top ten risks. One possible approach is to
consider the probability of threats affecting assets by exploit of
unmitigated vulnerabilities. This probability can be determined based
upon a relationship between threats, assets and vulnerabilities. To
factor the probability of a threat you need to consider a security
ontology such as NIST SP 800 and model the relationships between
assets , threats, vulnerabilities and controls/countermeasures. I
think we have this on OWASP T10 as relationship of threat agent x
vulnerability x impact on assets but we do not factor threat agent
probabilities based upon a)  mitigated vulnerability (lack of control)
b) control effectiveness, c) attacker probability as factor of
motivation and capability d) accidental threats and e) previous
threats (threat history). By modeling these factors and by weighting
them with a statistical model is possible to determine the probability
of threats to exploit vulnerabilities to cause impacts on assets.
Threat asset probabilities can be calculated using statistical methods
such as Bayesian methods that a dealt within the papers herein (*). It
would be interesting to use these formal methods to find the threat
probability to exploit OWASP T10 for certain type of inherent risks of
assets (High Medium and Low) assuming the vulnerabilities are
unmitigated (conservative approach). Perhaps this can be an OWASP
project worth considering sponsorship ?
RegardsMarco M.
Sent from my iPad
On 5 Mar 2013, at 19:40, "Paweł Krawczyk"  wrote:

On 5/3/2013 at 7:16 PM, "Dennis Groves"  wrote:
But we have never been able to predict if any **specific individual** 
will purchase the banana.

I'm not sure if these analogies will take us anywhere useful. I think
at the maturity level of our industry it's already extremely useful to
know that apps having feature Y are more frequently hacked than Z.
Which then allows you to make specific decisions about training budget
for the next year, or security testing priorities. Or, more precisely,
convince those who hold money that that they should be spent and what
they should be spent for - for example, that it makes sense to spend
$20k for pentesting of an application that is threatened with $10m
fine from FSA in case of compromise, rather than a internal desk
booking application. Most people can build those arguments
intuitively, but I can see it's time to move to another level - and
start quantifying
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/4674f801/attachment-0001.html>

More information about the OWASP-Leaders mailing list