[Owasp-leaders] How to determine if an application is or not vulnerable based on a Risk Management matrix
dennis.groves at owasp.org
Fri Mar 8 15:17:15 UTC 2013
On 8 Mar 2013, at 14:48, Michael Hidalgo wrote:
> Hi Folks, Greetings from the beautiful Costa Rica :)
> Today I received an interesting question from a person that is going
> participate in the upcoming OWASP Latam Tour( and I say interesting
> I'm glad OWASP methodologies are being adopted in Costa Rica).
> So this person did a terrific job. Along with a lot of developers.
> created a Risk Management matrix and they identified all the
> they are using. Then based in the OWASP Top Ten they did a
> on that and at the end of the day they determine which applications
> required special attention.
I would love to see it - where is it?
> This person sent me an email and he principal concern is once he has
> determine which applications are more vulnerable (as a result of the
> Matrix) how they could evaluate if those vulnerabilities exit in their
We all share this concern.
> Since I'm not an expert in the Risk Management, what would you guys
> suggest? Basically the question here is given the Risk Management
> how to determine the incidence of those vulnerabilities in the code?
This is the million dollar question, if we could find all the problems,
we could easily manage them and we would not have any problems. ;-)
> Is there any project at OWASP that explains something similar o any
> I was reading at https://www.owasp.org/index.php/Threat_Risk_Modeling
> is very complete.
This is actually not that good. Threat modelling and risk modelling are
very different. Threat modelling is about surfacing risks. Risk
modelling is about managing the risks you surfaced through threat
modelling. Currently OWASP seems a bit confused about the differences.
Think about it this way:
- Threat Models are about finding the known and unknown.
- Risk models are about managing the known and unknown. (Elimination)
Currently both threat and risk modelling do fairly well with the known,
unfortunately neither does very good with the unknown. This unknown
factor is the biggest issue not only in IT risk, but also in financial
risk and subsequently leads to things like bank bailouts.
As you can imagine then surfacing the risks is much, much harder.
Although, others would say it is simply throwing rocks at glass houses.
We are all trying to find better ways to identify the risks, but it is
always the case that you get bitten by the one thing you did not know
about or forgot to manage. For threat modelling the OWASP page links to
some good resources.
Because risk management is much easier, there is much more written about
it. For a semi-complete list of risk management tools see:
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a
*This email is licensed under a [CC BY-ND
**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free
> The idea that some lives matter less is the root of all that’s wrong
> with the world. -- Paul Farmer
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders