[Owasp-testing] Defining Risk

Eoin eoinkeary at gmail.com
Mon Dec 18 08:49:46 EST 2006


Gents,
If we can get something "simple" but effective quickly I would go for that.
but can we make sure, as Dan says, that the quality does not suffer as it
[the guide] shall be a milestone/benchmark in app testing documentation
available today.
I would prefer if we stayed away from academic risk analysis and statistics.

Some of the intro documentation can still be used also.

-ek



On 18/12/06, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
>
> Agreed, this is the common approached used by most of the clients we work
> with, especially the banking sector.
>
> Matteo i know you don't want to change it and get a draft out, but we need
> to be aware that many will follow our guide as the gospel on app testing and
> i'd rather we delay some bits so that newcomers to our industry have a good
> solid footing and not the one i had when this industry was started (a.k.amake up what you want, there isn't anyone to disagree)
>
>
> What do you think? should we quickly agree on something less complex and
> get it written up (i can do this as im currently on holiday and have less
> commitments than usual)
>
>
>
>  On 18 Dec 2006, at 19:01, Eoin wrote:
>
>  Yep agreed.
> One thing I've always hated about assigning risk is to use these formulas
> which at times do not take context into account, if the vulnerability is
> internal facing only, is it exposed to unauthenticated users or
> authenticated only.
> There must be a rule of thumb relating to assigning how much of a risk a
> particular vulnerability is but avoiding complex academic formulas.
>
> To me Risk is as simple as defining how damaging a vulnerability exploit
> may be if exploited and how easy/accessible it is to commit the exploit.
> Also taking into account if the vulnerability is externally facing or is
> it internal on a "secure" LAN segment?
>
> -ek
>
>
>
>
>
> On 17/12/06, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> >
> > I've spent today looking at what has been written so far and I feel
> > we are venturing into some dangerous territory with what we are
> > suggesting.
> > We need a easy to use, and understand, method of defining risk and
> > the one we have at the moment will cause more confusion than good.
> >
> > https://www.owasp.org/index.php/How_to_value_the_real_risk_AoC
> >
> > The section on Quantitative Risk Calculation seems to be heavily
> > based upon some complex mathematical formula, but does anyone
> > honestly know how to do this?
> >
> > I've shown this to a number of pentesters and colleagues and they all
> > agree that they would not use the above approach as it's overly
> > complicated.
> >
> > Thoughts?
> >
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> >
>
>
>
> --
> Eoin Keary OWASP - Ireland
> http://www.owasp.org/local/ireland.html
> http://www.owasp.org/index.php/OWASP_Testing_Project
> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>
>
>
>



-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20061218/a04dc2bb/attachment.html 


More information about the Owasp-testing mailing list