[Owasp-leaders] How to determine if an application is or not vulnerable based on a Risk Management matrix

Michael Hidalgo michael.hidalgo at owasp.org
Fri Mar 8 15:25:56 UTC 2013

Hi Dennis,
Thanks for being that  responsive. Your answer makes perfect sense for me
and I do have a better idea o what to suggest :)

On Fri, Mar 8, 2013 at 9:17 AM, Dennis Groves <dennis.groves at owasp.org>wrote:

> On 8 Mar 2013, at 14:48, Michael Hidalgo wrote:
> Hi Folks, Greetings from the beautiful Costa Rica :)
> Today I received an interesting question from a person that is going to
> participate in the upcoming OWASP Latam Tour( and I say interesting because
> I'm glad OWASP methodologies are being adopted in Costa Rica).
> So this person did a terrific job. Along with a lot of developers. They
> created a Risk Management matrix and they identified all the applications
> they are using. Then based in the OWASP Top Ten they did a clasiffication
> on that and at the end of the day they determine which applications
> required special attention.
> I would love to see it - where is it?
> This person sent me an email and he principal concern is once he has
> determine which applications are more vulnerable (as a result of the Risk
> Matrix) how they could evaluate if those vulnerabilities exit in their
> application.
> We all share this concern.
> Since I'm not an expert in the Risk Management, what would you guys
> suggest? Basically the question here is given the Risk Management Matrix
> how to determine the incidence of those vulnerabilities in the code?
> This is the million dollar question, if we could find all the problems, we
> could easily manage them and we would not have any problems. ;-)
> Is there any project at OWASP that explains something similar o any futher
> reference?
> See below.
> I was reading at https://www.owasp.org/index.php/Threat_Risk_Modelingwhich
> is very complete.
> This is actually not that good. Threat modelling and risk modelling are
> very different. Threat modelling is about surfacing risks. Risk modelling
> is about managing the risks you surfaced through threat modelling.
> Currently OWASP seems a bit confused about the differences.
> Think about it this way:
> - Threat Models are about finding the known and unknown. (Idenitification)
> - Risk models are about managing the known and unknown. (Elimination)
> Currently both threat and risk modelling do fairly well with the known,
> unfortunately neither does very good with the unknown. This unknown factor
> is the biggest issue not only in IT risk, but also in financial risk and
> subsequently leads to things like bank bailouts.
> As you can imagine then surfacing the risks is much, much harder.
> Although, others would say it is simply throwing rocks at glass houses. We
> are all trying to find better ways to identify the risks, but it is always
> the case that you get bitten by the one thing you did not know about or
> forgot to manage. For threat modelling the OWASP page links to some good
> resources.
> Because risk management is much easier, there is much more written about
> it. For a semi-complete list of risk management tools see:
> http://rm-inv.enisa.europa.eu
> Dennis
> ------------------------------
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
> .
> *This email is licensed under a CC BY-ND 3.0<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>license.
> *
> *Please do not send me Microsoft Office/Apple iWork documents.*
> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
> Stand up for your freedom to install free software<http://www.fsf.org/campaigns/secure-boot/statement>
> .
> The idea that some lives matter less is the root of all that’s wrong with
> the world. -- Paul Farmer


 *Michael Hidalgo.
OWASP Chapter Leader & Researcher*

*Blog: http://michaelhidalgocr.blogspot.com*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130308/c9190b1d/attachment-0001.html>

More information about the OWASP-Leaders mailing list