[Owasp-leaders] How to determine if an application is or not vulnerable based on a Risk Management matrix

Dennis Groves dennis.groves at owasp.org
Fri Mar 8 15:17:15 UTC 2013

On 8 Mar 2013, at 14:48, Michael Hidalgo wrote:

> Hi Folks, Greetings from the beautiful Costa Rica :)
> Today I received an interesting question from a person that is going 
> to
> participate in the upcoming OWASP Latam Tour( and I say interesting 
> because
> I'm glad OWASP methodologies are being adopted in Costa Rica).
> So this person did a terrific job. Along with a lot of developers. 
> They
> created a Risk Management matrix and they identified all the 
> applications
> they are using. Then based in the OWASP Top Ten they did a 
> clasiffication
> on that and at the end of the day they determine which applications
> required special attention.

I would love to see it - where is it?

> This person sent me an email and he  principal concern is once he has
> determine which applications are more vulnerable (as a result of the 
> Risk
> Matrix) how they could evaluate if those vulnerabilities exit in their
> application.

We all share this concern.

> Since I'm not an expert in the Risk Management, what would you guys
> suggest? Basically the question here is given the Risk Management 
> Matrix
> how to determine the incidence of those vulnerabilities in the code?

This is the million dollar question, if we could find all the problems, 
we could easily manage them and we would not have any problems. ;-)

> Is there any project at OWASP that explains something similar o any 
> futher
> reference?

See below.

> I was reading at https://www.owasp.org/index.php/Threat_Risk_Modeling 
> which
> is very complete.

This is actually not that good. Threat modelling and risk modelling are 
very different. Threat modelling is about surfacing risks. Risk 
modelling is about managing the risks you surfaced through threat 
modelling. Currently OWASP seems a bit confused about the differences.

Think about it this way:
- Threat Models are about finding the known and unknown. 
- Risk models are about managing the known and unknown.  (Elimination)

Currently both threat and risk modelling do fairly well with the known, 
unfortunately neither does very good with the unknown. This unknown 
factor is the biggest issue not only in IT risk, but also in financial 
risk and subsequently leads to things like bank bailouts.

As you can imagine then surfacing the risks is much, much harder. 
Although, others would say it is simply throwing rocks at glass houses.  
We are all trying to find better ways to identify the risks, but it is 
always the case that you get bitten by the one thing you did not know 
about or forgot to manage. For threat modelling the OWASP page links to 
some good resources.

Because risk management is much easier, there is much more written about 
it. For a semi-complete list of risk management tools see: 


[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130308/86f28eba/attachment.html>

More information about the OWASP-Leaders mailing list