[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Yvan Boily yvanboily at gmail.com
Mon Aug 19 18:09:43 UTC 2013


"How technically skilled is this group of threat agents? Security
penetration skills (1), network and programming skills (3), advanced
computer user (4), some technical skills (6), no technical skills (9)"

This entire section should probably be redesigned to reflect the level of
resources an attacker has rather than technical skill.  Time and money are
great equalizers to skill because you can always train or develop the
skills needed (usually quite quickly for a specific vulnerability), or you
can outright hire someone to design an exploit for you.  A sufficiently
motivated attacker with sufficient resources probably poses a greater
threat than a group of the most l33t hackers who author exploits for money.

By the same token, under vulnerability factors, the following should
probably be replaced:
"How easy is it for this group of threat agents to actually exploit this
vulnerability? Theoretical (1), difficult (3), easy (5), automated tools
available (9) "

The spectrum is really something more like : "Probably Not Exploitable (1),
Exploitable(5), Reliably Exploitable (9)"

It is probably worth revisiting the model as a whole, and a team could also
provide a catalogue of sample threat agents and their scores as well.

Anyone else interested in working on this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130819/cd6720ba/attachment.html>


More information about the Owasp-testing mailing list