[Owasp-testing] Defining Risk

Daniel Cuthbert daniel.cuthbert at owasp.org
Sun Dec 17 07:48:10 EST 2006


I've spent today looking at what has been written so far and I feel  
we are venturing into some dangerous territory with what we are  
suggesting.
We need a easy to use, and understand, method of defining risk and  
the one we have at the moment will cause more confusion than good.

https://www.owasp.org/index.php/How_to_value_the_real_risk_AoC

The section on Quantitative Risk Calculation seems to be heavily  
based upon some complex mathematical formula, but does anyone  
honestly know how to do this?

I've shown this to a number of pentesters and colleagues and they all  
agree that they would not use the above approach as it's overly  
complicated.

Thoughts?




More information about the Owasp-testing mailing list