[Owasp-testing] Defining Risk

Jeff Williams jeff.williams at aspectsecurity.com
Mon Dec 18 01:46:00 EST 2006

Thanks Daniel for pointing this out.  I agree with your comments.  OWASP
has always stood for practical workable solutions and not for too much
theory.  Personally, I've never bought into any methodology that is very
quantitative as there is simply way too much uncertainty in appsec
estimates to make the math work well.

I think the basic process is pretty simple.  Estimate a bunch of factors
and calculate the likelihood, then estimate a few factors and calculate
the business impact.  Then multiply these to get the overall risk.

I believe we should flesh out these factors, show people how to weight
the factors as appropriate for their business, and be done with it.

This process is pretty close to what I'm talking about.    

My papers on this from the 90's
  - http://www.acsac.org/1998/presentations/fri-b-1030-jelen.pdf
  - http://www.sse-cmm.org/docs/Arguing.pdf


-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Daniel
Sent: Sunday, December 17, 2006 7:48 AM
To: owasp-testing at lists.owasp.org
Subject: [Owasp-testing] Defining Risk

I've spent today looking at what has been written so far and I feel  
we are venturing into some dangerous territory with what we are  
We need a easy to use, and understand, method of defining risk and  
the one we have at the moment will cause more confusion than good.


The section on Quantitative Risk Calculation seems to be heavily  
based upon some complex mathematical formula, but does anyone  
honestly know how to do this?

I've shown this to a number of pentesters and colleagues and they all  
agree that they would not use the above approach as it's overly  


Owasp-testing mailing list
Owasp-testing at lists.owasp.org

More information about the Owasp-testing mailing list