[Owasp-leaders] Potential Update to the OWASP Risk Rating Methodology

Josh Sokol josh.sokol at owasp.org
Tue Mar 12 18:31:58 UTC 2013


That's fair.  Though I'd say that regardless of who is consuming the
methodology, it has to make sense for their organization.  Many security
professionals just act like sheep and follow wherever the flock takes
them.  We're in a great position to help make them make the right decisions
with this Risk Rating Methodology.  My point here is that if we give them a
poor base to start from, we are doing them a disservice and discrediting
our OWASP tools and methodologies in the process.  My suggestion is an
answer, likely not THE answer and I like some of what Tim has thrown out
there.  But I do think that the current model is flawed as it will
underconvey fairly significant risks.  Sounds like you feel like its OK to
leave as is?

~josh

On Tue, Mar 12, 2013 at 12:28 PM, Dennis Groves <dennis.groves at owasp.org>wrote:

> On 12 Mar 2013, at 17:15, Josh Sokol wrote:
>
> I agree with what you said Dennis and truly appreciate your comment.
> Having said that, one of our primary communities of outreach is
> developers.
>
> Agreed.
>
> Sure, they should have security professionals to help convey
> risk, but that's not always the case. And if those developers are using
> this as a means to rate their risks
>
> RED ALERT!
>
> Risk ratings are a way of managing *organisational* risks. This is a
> function of *management* not development.
>
> If I as a manager have to decide between fixing insecure communications
> and SQLi; I need a tool like this to figure out which to fix first. My
> development team should most certainly not be making decisions of this
> magnitude in isolation! My development team should be fixing things
> according to the priority determined by the security management team.
>
> Context is everything! Developers live in a very detailed and low level
> world; and are very likely to not understand how their decisions impact the
> entire organisation, and for this reason it is all the more important that
> they not be making decisions, particularly about risks without the
> involvement of the security management team.
>
> Dennis
> ------------------------------
>
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
> .
>
> *This email is licensed under a CC BY-ND 3.0<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>license.
> *
>
> *Please do not send me Microsoft Office/Apple iWork documents.*
> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
> Stand up for your freedom to install free software<http://www.fsf.org/campaigns/secure-boot/statement>
> .
>
> The idea that some lives matter less is the root of all that’s wrong with
> the world. -- Paul Farmer
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130312/1c8bd24c/attachment.html>


More information about the OWASP-Leaders mailing list