[Owasp-testing] Defining Risk
eoinkeary at gmail.com
Mon Dec 18 08:49:46 EST 2006
If we can get something "simple" but effective quickly I would go for that.
but can we make sure, as Dan says, that the quality does not suffer as it
[the guide] shall be a milestone/benchmark in app testing documentation
I would prefer if we stayed away from academic risk analysis and statistics.
Some of the intro documentation can still be used also.
On 18/12/06, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> Agreed, this is the common approached used by most of the clients we work
> with, especially the banking sector.
> Matteo i know you don't want to change it and get a draft out, but we need
> to be aware that many will follow our guide as the gospel on app testing and
> i'd rather we delay some bits so that newcomers to our industry have a good
> solid footing and not the one i had when this industry was started (a.k.amake up what you want, there isn't anyone to disagree)
> What do you think? should we quickly agree on something less complex and
> get it written up (i can do this as im currently on holiday and have less
> commitments than usual)
> On 18 Dec 2006, at 19:01, Eoin wrote:
> Yep agreed.
> One thing I've always hated about assigning risk is to use these formulas
> which at times do not take context into account, if the vulnerability is
> internal facing only, is it exposed to unauthenticated users or
> authenticated only.
> There must be a rule of thumb relating to assigning how much of a risk a
> particular vulnerability is but avoiding complex academic formulas.
> To me Risk is as simple as defining how damaging a vulnerability exploit
> may be if exploited and how easy/accessible it is to commit the exploit.
> Also taking into account if the vulnerability is externally facing or is
> it internal on a "secure" LAN segment?
> On 17/12/06, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> > I've spent today looking at what has been written so far and I feel
> > we are venturing into some dangerous territory with what we are
> > suggesting.
> > We need a easy to use, and understand, method of defining risk and
> > the one we have at the moment will cause more confusion than good.
> > https://www.owasp.org/index.php/How_to_value_the_real_risk_AoC
> > The section on Quantitative Risk Calculation seems to be heavily
> > based upon some complex mathematical formula, but does anyone
> > honestly know how to do this?
> > I've shown this to a number of pentesters and colleagues and they all
> > agree that they would not use the above approach as it's overly
> > complicated.
> > Thoughts?
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> Eoin Keary OWASP - Ireland
Eoin Keary OWASP - Ireland
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing