[Owasp-testing] Defining Risk
jeff.williams at aspectsecurity.com
Mon Dec 18 01:46:00 EST 2006
Thanks Daniel for pointing this out. I agree with your comments. OWASP
has always stood for practical workable solutions and not for too much
theory. Personally, I've never bought into any methodology that is very
quantitative as there is simply way too much uncertainty in appsec
estimates to make the math work well.
I think the basic process is pretty simple. Estimate a bunch of factors
and calculate the likelihood, then estimate a few factors and calculate
the business impact. Then multiply these to get the overall risk.
I believe we should flesh out these factors, show people how to weight
the factors as appropriate for their business, and be done with it.
This process is pretty close to what I'm talking about.
My papers on this from the 90's
From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Daniel
Sent: Sunday, December 17, 2006 7:48 AM
To: owasp-testing at lists.owasp.org
Subject: [Owasp-testing] Defining Risk
I've spent today looking at what has been written so far and I feel
we are venturing into some dangerous territory with what we are
We need a easy to use, and understand, method of defining risk and
the one we have at the moment will cause more confusion than good.
The section on Quantitative Risk Calculation seems to be heavily
based upon some complex mathematical formula, but does anyone
honestly know how to do this?
I've shown this to a number of pentesters and colleagues and they all
agree that they would not use the above approach as it's overly
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
More information about the Owasp-testing