[Owasp-testing] Testing Guide V4 - Start up

Ismael Rocha ismaelrocha.projetos at gmail.com
Wed Sep 12 11:53:41 UTC 2012


Hello all.

That's exactly what I've tried to point out.
The risk I presented on that table is based on business impact and not only
on technical impact. Then it's not easy to add it to Cheat Sheet. It's an
example from a report I've presented.
Even the likelihood is different according to the application assessed and
it makes the risk different from customer to customer.
Our thoughts are alligned.

Jim.

Maybe we can add a Cheat Sheet talking about how to classify risks based on
OWASP Risk Rating Methodology. We can also discuss this cheat sheet in
other forum.

Best Regards.

Ismael Gonçalves

On Wed, Sep 12, 2012 at 7:59 AM, Dirk Wetter <dirk.wetter at owasp.org> wrote:

>
> Hi there,
>
> Am 09/12/2012 12:30 PM, schrieb Ismael Rocha:
> > Hello Jim.
> >
> > I'm thinking about a good way to add it because the risk I've put in the
> > table is also calculated based on business impact, then a XSS flaw once
> > exploited for example has a different impact according to the business.
>
> you folks mean probably technical impact?
>
> "The business impact stems from the technical impact, but requires a
> deep understanding of what is important to the company running the
> application. " according to OWASP risk rating methology.
>
> For one company availabity or reputation can have a huge impact
> and they care less about SQL injection because (e.g. no information
> of users are affected) whereas for others the opposite is true.
>
> If you don't understand the buiness model of a particular institution,
> you cannot estimate their business risks, only technical ones.
>
> Best, Dirk
>
>
>
> >
> > Regards.
> >
> > Ismael Gonçalves
> >
> > On Sun, Sep 9, 2012 at 5:02 PM, Jim Manico <jim.manico at owasp.org
> > <mailto:jim.manico at owasp.org>> wrote:
> >
> >     Can you add the risk column to the cheat sheet?? :)
> >
> >     --
> >     Jim Manico
> >     VP, Security Architecture
> >     WhiteHat Security
> >     (808) 652-3805 <tel:%28808%29%20652-3805>
> >
> >     On Sep 9, 2012, at 7:52 AM, Ismael Rocha
> >     <ismaelrocha.projetos at gmail.com
> >     <mailto:ismaelrocha.projetos at gmail.com>> wrote:
> >
> >>     Hello David.
> >>
> >>     I worked in the Top Ten Cheatsheet to make the link between Top
> >>     Ten and Testing Guide.
> >>     https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
> >>
> >>     Here is a table I've been providing in reports about analysis
> >>     based on Top Ten. The calculations of the risk are also based on
> >>     OWASP Testing Guide - Risk Methodology and the business impact
> >>     factors are adapted according to the customer.
> >>
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120912/307ab51c/attachment.html>


More information about the Owasp-testing mailing list