[Owasp-testing] Risk Modelling - Skill Level

Bernd Eckenfels bernd-2011 at eckenfels.net
Wed Jul 20 12:56:54 EDT 2011


while working with the OWASP v2 Testing Guide to do some risk modelling for
a few (known) vulnerabilities, I notices that the threat agent section is
based on the concept of "think of a possible group of attackers and describe
the risk that they succeed". However the other way around makes more sense:
"describe the requirements/outcomes of your vulnerability".

For the follwoing 3 metrics, you do not think of a threat agent group to
find out the scores, but you look at the vulnerable system:

1 - there is no reward if vulnerability is exploited
9 - high reward 

0 - full access or expensive required
9 - no access required

2 - developers
9 - anonymous

But for the "Skill Level" score, you have to think about the skills of the
agents and rate. It should be the other way around "which skills are
required to break in". Consequently "security penetration skills" should be
a low risk rating and "no technical skills" a high one. It does work in both
directions, but the other 3 dimensions looking from the requirements side.

  (OO)      -- Bernd_Eckenfels at Mörscher_Strasse_8.76185Karlsruhe.de --
 ( .. )    [email protected]{inka.de,linux.de,debian.org}  http://bernd.eckenfels.net
  o--o    1024D/E383CD7E  eckes at IRCNet  v:+497211603874  f:+49721151516129
(O____O)   When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

More information about the Owasp-testing mailing list