[Owasp-leaders] Potential Update to the OWASP Risk Rating Methodology

gregory.disney gregory.disney at owasp.org
Tue Mar 12 20:07:16 UTC 2013


Could you use something like this? I use it for malware analysis reporting.


On Tue, Mar 12, 2013 at 2:31 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> That's fair.  Though I'd say that regardless of who is consuming the
> methodology, it has to make sense for their organization.  Many security
> professionals just act like sheep and follow wherever the flock takes
> them.  We're in a great position to help make them make the right decisions
> with this Risk Rating Methodology.  My point here is that if we give them a
> poor base to start from, we are doing them a disservice and discrediting
> our OWASP tools and methodologies in the process.  My suggestion is an
> answer, likely not THE answer and I like some of what Tim has thrown out
> there.  But I do think that the current model is flawed as it will
> underconvey fairly significant risks.  Sounds like you feel like its OK to
> leave as is?
>
> ~josh
>
>
> On Tue, Mar 12, 2013 at 12:28 PM, Dennis Groves <dennis.groves at owasp.org>wrote:
>
>>  On 12 Mar 2013, at 17:15, Josh Sokol wrote:
>>
>> I agree with what you said Dennis and truly appreciate your comment.
>> Having said that, one of our primary communities of outreach is
>> developers.
>>
>> Agreed.
>>
>> Sure, they should have security professionals to help convey
>> risk, but that's not always the case. And if those developers are using
>> this as a means to rate their risks
>>
>> RED ALERT!
>>
>> Risk ratings are a way of managing *organisational* risks. This is a
>> function of *management* not development.
>>
>> If I as a manager have to decide between fixing insecure communications
>> and SQLi; I need a tool like this to figure out which to fix first. My
>> development team should most certainly not be making decisions of this
>> magnitude in isolation! My development team should be fixing things
>> according to the priority determined by the security management team.
>>
>> Context is everything! Developers live in a very detailed and low level
>> world; and are very likely to not understand how their decisions impact the
>> entire organisation, and for this reason it is all the more important that
>> they not be making decisions, particularly about risks without the
>> involvement of the security management team.
>>
>> Dennis
>> ------------------------------
>>
>> Dennis Groves <http://about.me/dennis.groves>, MSc
>> Email me <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
>> .
>>
>> *This email is licensed under a CC BY-ND 3.0<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>license.
>> *
>>
>> *Please do not send me Microsoft Office/Apple iWork documents.*
>> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
>> Stand up for your freedom to install free software<http://www.fsf.org/campaigns/secure-boot/statement>
>> .
>>
>> The idea that some lives matter less is the root of all that’s wrong with
>> the world. -- Paul Farmer
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130312/3fcc3793/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Virology.png
Type: image/png
Size: 9684 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130312/3fcc3793/attachment-0001.png>


More information about the OWASP-Leaders mailing list