[Owasp-testing] Defining Risk

Daniel Cuthbert daniel.cuthbert at owasp.org
Mon Dec 18 08:43:40 EST 2006


Agreed, this is the common approached used by most of the clients we  
work with, especially the banking sector.

Matteo i know you don't want to change it and get a draft out, but we  
need to be aware that many will follow our guide as the gospel on app  
testing and i'd rather we delay some bits so that newcomers to our  
industry have a good solid footing and not the one i had when this  
industry was started (a.k.a make up what you want, there isn't anyone  
to disagree)

What do you think? should we quickly agree on something less complex  
and get it written up (i can do this as im currently on holiday and  
have less commitments than usual)


On 18 Dec 2006, at 19:01, Eoin wrote:

> Yep agreed.
> One thing I've always hated about assigning risk is to use these  
> formulas which at times do not take context into account, if the  
> vulnerability is internal facing only, is it exposed to  
> unauthenticated users or authenticated only.
> There must be a rule of thumb relating to assigning how much of a  
> risk a particular vulnerability is but avoiding complex academic  
> formulas.
>
> To me Risk is as simple as defining how damaging a vulnerability  
> exploit may be if exploited and how easy/accessible it is to commit  
> the exploit.
> Also taking into account if the vulnerability is externally facing  
> or is it internal on a "secure" LAN segment?
>
> -ek
>
>
>
>
>
> On 17/12/06, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> I've spent today looking at what has been written so far and I feel
> we are venturing into some dangerous territory with what we are
> suggesting.
> We need a easy to use, and understand, method of defining risk and
> the one we have at the moment will cause more confusion than good.
>
> https://www.owasp.org/index.php/How_to_value_the_real_risk_AoC
>
> The section on Quantitative Risk Calculation seems to be heavily
> based upon some complex mathematical formula, but does anyone
> honestly know how to do this?
>
> I've shown this to a number of pentesters and colleagues and they all
> agree that they would not use the above approach as it's overly
> complicated.
>
> Thoughts?
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
> -- 
> Eoin Keary OWASP - Ireland
> http://www.owasp.org/local/ireland.html
> http://www.owasp.org/index.php/OWASP_Testing_Project
> http://www.owasp.org/index.php/OWASP_Code_Review_Project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20061218/68cc7c00/attachment.html 


More information about the Owasp-testing mailing list