[Owasp-testing] Defining Risk

Eoin eoinkeary at gmail.com
Mon Dec 18 07:01:55 EST 2006

Yep agreed.
One thing I've always hated about assigning risk is to use these formulas
which at times do not take context into account, if the vulnerability is
internal facing only, is it exposed to unauthenticated users or
authenticated only.
There must be a rule of thumb relating to assigning how much of a risk a
particular vulnerability is but avoiding complex academic formulas.

To me Risk is as simple as defining how damaging a vulnerability exploit may
be if exploited and how easy/accessible it is to commit the exploit.
Also taking into account if the vulnerability is externally facing or is it
internal on a "secure" LAN segment?


On 17/12/06, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> I've spent today looking at what has been written so far and I feel
> we are venturing into some dangerous territory with what we are
> suggesting.
> We need a easy to use, and understand, method of defining risk and
> the one we have at the moment will cause more confusion than good.
> https://www.owasp.org/index.php/How_to_value_the_real_risk_AoC
> The section on Quantitative Risk Calculation seems to be heavily
> based upon some complex mathematical formula, but does anyone
> honestly know how to do this?
> I've shown this to a number of pentesters and colleagues and they all
> agree that they would not use the above approach as it's overly
> complicated.
> Thoughts?
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing

Eoin Keary OWASP - Ireland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20061218/6128ca95/attachment.html 

More information about the Owasp-testing mailing list