[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

rick.mitchell at bell.ca rick.mitchell at bell.ca
Thu Aug 22 12:14:18 UTC 2013

Hi Christian, thanks for pointing that out. I can definitely see the argument for CVSS (or CVSS'ish) score for Web App Vulns. The only thing that I might say against it is that while there is meant to be a temporal aspect to things I haven't really seen any CVSS scores adjusted over time. Further while this aspect is meant to be from discovery to exploit web app assessment would almost always end up on the exploit end of the scale. Because, If I've identified a XSS in someone's app then it's been exploited.

We should also keep in mind that work has been done in adapting the OSSTMM and its metrics for use in web app assessments.

Anyway, while that's still up in the air I'd like to do something with the existing wiki. Even if that is only to reverse the previous edit which sparked this thread. I'm was just really hoping that a few people would chime in with black or white (agreement or disagreement) on the topic.


-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au] 
Sent: August 21, 2013 11:41 PM
To: Mitchell, Rick (6030318)
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Are the Risk Rating Wiki Pages Broken?


I believe based the conclusion drawn from the thread in May 2013
(which begins at
was to deprecated the OWASP Risk Rating Methodology for CVSSv3.

The latest on public announcement on it's (CVSSv3) ongoing development
is http://www.first.org/_assets/downloads/cvss/cvss-v3-development-update.pdf

On Tue, Aug 20, 2013 at 2:47 AM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> I just had a client ask about: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
> It seems at some point in the last two years that the skill level ratings have been reversed. Such that a skilled attacker has a lower rating that an unskilled attacker. This doesn't make any logical sense.
> At a high level the wiki defines "Risk = Likelihood * Impact"
> If Threat Agent goes towards the Likelihood part of the calculation a skilled individual should be of greater concern than an unskilled individual. If one's "most likely" attacker is skilled then their risk should be higher than if their "most likely" attacker is unskilled. So someone with "Security penetration skills" should be a 9 not a 1 (raising the risk calc)... On the flip side someone with "no technical skills" should be a 1 not a 9 (thus reducing my risk calc).
> From the wiki page:
> "The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent.
> Skill level
>     How technically skilled is this group of threat agents? Security penetration skills (1), network and programming skills (3), advanced computer user (4), some technical skills (6), no technical skills (9)"
> Further down the page: "Then you simply take the average of the scores to calculate the overall likelihood."
> So using the numbers in the wiki table you come up with 4.375, if you increase the skill level value (thus decreasing the attacker's actual skill as defined earlier in the page) your risk rating is increased:
> 9|2|7|1|3|6|9|2 = AVG of 4.875 (where 9 is defined as unskilled) which would pull your whole risk rating for an issue up.
> 1|2|7|1|3|6|9|2 = AVG of 3.875 (where 1 is defined as highly skilled) which would drag your whole risk rating for an issue down.
> Is the methodology trying to state that you're unlikely to be attacked by skilled individuals? Wouldn't that be a function of motivation or opportunity not skill? Meaning that while a highly skilled individual might pose greater risk from a skill perspective they may not be motivated or have opportunity to carry out and exploit of the issue in question.

Christian Heinrich


More information about the Owasp-testing mailing list