[Owasp-leaders] Fwd: Owasp risk rating

Sherif Mansour sherif.mansour at owasp.org
Sat Sep 30 09:42:37 UTC 2017


My advice as well is to split this problem in two parts:

1) what is a good model to assess the risk of a finding
2) Is this model usable/practical

For the second part its one thing to implement a scoring model, its another
to be able to score hundreds/thousands/millions of findings.
All these fields you have included you have to remember it will not just
take a security engineer, and you have to include the engineering and the
business teams to come up with that score.

Another thing to factor in, is *toxicity*. What I mean is you might have a
few medium/low findings, but if you string all these findings together you
have an attack chain the compromise an organisation or a system.

You have to be able to say "Yes, this issue on its own is not a big deal,
but if you string the other issues together you have a successful attack
chain. Therefore this issue is in the path of an attacker compromising us,
and we need to work together to fix this quickly."

Hope that helps

Also you might want to take a look at this for visualisation:
https://github.com/MichelleEmbleton/appSecRadar/tree/new-look
This was created by an OWASP member to visualise security issues, you can
change the fields so adapt to your security model.
Hope you find this helpful.

[image: Inline image 1]

Sherif Mansour
OWASP London Chapter Leadersherif.mansour at owasp.org
https://www.owasp.org/index.php/London
Follow OWASP London Chapter on Twitter: @owasplondon
<https://twitter.com/OWASPLondon>
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Subscribe to our (lightweight) mailing list:
https://lists.owasp.org/mailman/listinfo/owasp-london



On Sat, Sep 30, 2017 at 10:11 AM, OWASP Jakarta Chapter <ade.putra at owasp.org
> wrote:

> hi all leaders
> thank you @sherif and all leader
> i am thinking about development this model
> some case i has refer from owasp threat modelling and owasp top 10
>
>  i am still receiving for all sugesstion from all owasp leader  for make
> better this project.
>
> sorry for delay to make  a guide for this project (find the attachment)
>
>
> thanks
>
> Ade Yoseman
> OWASP Volunteer <https://www.owasp.org/index.php/Jakarta>
>
>
>
> On Sat, Sep 30, 2017 at 2:34 PM, Sherif Mansour <sherif.mansour at owasp.org>
> wrote:
>
>> Hey Ade,
>>
>> Check out the VxSx scoring model here:
>> http://www.ten-inc.com/ise/northeast/project_nominees.asp
>>
>>
>> On Sun, 24 Sep 2017 at 9:18 am, Ade Yoseman Putra <ade.putra at owasp.org>
>> wrote:
>>
>>> hi leaders
>>>
>>> we have create the simple OWASP risk rating based in html
>>>
>>> you can view source and copy paste in your computer
>>>
>>> if any ideas just send me a email
>>>
>>> http://165.227.109.55/riskrating.html
>>>
>>> [image: Inline image 1]
>>>
>>>
>>>
>>> Ade Yoseman
>>> OWASP Volunteer <https://www.owasp.org/index.php/Jakarta>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>> --
>>
>> Sherif Mansour
>> OWASP London Chapter Leadersherif.mansour at owasp.org https://www.owasp.org/index.php/London
>> Follow OWASP London Chapter on Twitter: @owasplondon  <https://twitter.com/OWASPLondon>
>> "Like" us on Facebook: https://www.facebook.com/OWASPLondon
>> Subscribe to our (lightweight) mailing list: https://lists.owasp.org/mailman/listinfo/owasp-london
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 

Sherif Mansour
OWASP London Chapter Leadersherif.mansour at owasp.org
https://www.owasp.org/index.php/London
Follow OWASP London Chapter on Twitter: @owasplondon
<https://twitter.com/OWASPLondon>
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Subscribe to our (lightweight) mailing list:
https://lists.owasp.org/mailman/listinfo/owasp-london
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170930/bbd5961b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 149832 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170930/bbd5961b/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 84080 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170930/bbd5961b/attachment-0003.png>


More information about the OWASP-Leaders mailing list