[Owasp-leaders] Potential Update to the OWASP Risk Rating Methodology

Dennis Groves dennis.groves at owasp.org
Tue Mar 12 16:53:05 UTC 2013


On 12 Mar 2013, at 16:37, Josh Sokol wrote:

[ snip ]

> Use SQL Injection as an example for technical impact.  You have a 
> read-only
> user and the flaw allows full disclosure of data in the database with 
> full
> audit trails turned on.  According to the methodology, this would be 
> all
> data disclosed (9 - Confidentiality), no corrupt data (0 - Integrity), 
> no
> loss of availability (0 - Availability), and fully traceable (0 -
> Accountability).  Based on the methodology, you then average these 
> values
> so we get a technical impact of 2.25 (LOW).  I would argue, however, 
> that
> the technical impact of this particular vulnerability for this 
> specific
> situation would still be high.  Any dissenting thoughts on this?  
> Agreement?

The problem is that it is LOW **Compared** to WHAT?

It is Low compared to threats and vulnerabilities that disclose data (9 
- Confidentiality), corrupt data (9 - all data totally corrupt), which 
results in (9 - all services completely lost) and the attacker was 
anonymous (9 -  completely anonymous).

Since your example doesn't have an attack like this to be compared 
against, it seems very inaccurate (to be honest most of us never find a 
smoking gun of this nature, but we often find a lot of SQLi).

This is not to say that SQLi is not serious, it can be game over for a 
company. However, the risk rating methodology doesn't understand 
context.

This is why the companies hire security consultants. It is up to use to 
take this completely arbitrary and subjective idea of risk and to adjust 
it to reflect the current business context.

Everything depends heavily on the context. And our most difficult job is 
actually understanding the clients business so that when we make a 
recommendation about SQLi - it is credible and as a result we continue 
to be trusted because our recommendations are credible.


Dennis

-- 
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 
meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 
software](http://www.fsf.org/campaigns/secure-boot/statement).

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130312/99cecd60/attachment.html>


More information about the OWASP-Leaders mailing list