[Owasp-testing] Risk Modelling - Skill Level

Jim Manico jim.manico at owasp.org
Wed Jul 20 13:41:26 EDT 2011


Bernd,

Great feedback. Would you mind editing the wiki around the OWASP Risk
Rating....

https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

...to account for your feedback?

- Jim


> Hello,
> 
> while working with the OWASP v2 Testing Guide to do some risk modelling for
> a few (known) vulnerabilities, I notices that the threat agent section is
> based on the concept of "think of a possible group of attackers and describe
> the risk that they succeed". However the other way around makes more sense:
> "describe the requirements/outcomes of your vulnerability".
> 
> For the follwoing 3 metrics, you do not think of a threat agent group to
> find out the scores, but you look at the vulnerable system:
> 
> Motive:
> 1 - there is no reward if vulnerability is exploited
> 9 - high reward 
> 
> Opportunity:
> 0 - full access or expensive required
> 9 - no access required
> 
> Size:
> 2 - developers
> 9 - anonymous
> 
> 
> 
> But for the "Skill Level" score, you have to think about the skills of the
> agents and rate. It should be the other way around "which skills are
> required to break in". Consequently "security penetration skills" should be
> a low risk rating and "no technical skills" a high one. It does work in both
> directions, but the other 3 dimensions looking from the requirements side.
> 
> Gruss
> Bernd



More information about the Owasp-testing mailing list