[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Marco Morana marco.m.morana at gmail.com
Fri Aug 23 08:33:32 UTC 2013

I am favor of endorsing MITRE's CVSS since this is almost widely accepted industry standard for vulnerability risk scoring. Nevertheless,  I think there is value in guiding users of the testing guide on the use of other qualitative risk assessment methodologies as a reference. Based upon my experience, organizations do not just rely on CVSS for vulnerability risk management but to their risk management process and acceptable risk levels. I think keeping the current OWASP risk scoring has value for comparison and can be corrected for the risk factors of threats vs risk factors of vulnerabilities (discussion on threat agent skills) and overall weight calculation formula as well as for covering at least five levels instead of three (H,M,L). The comparison between CVSS and OWASP risk rating can also be used as benchmark and to highlight that ultimately there is no one best risk methodology but consistent assessment of risk using different criteria.
One approach I like to educate users on how to assess risk is Josh's SimpleRisk tool where different risk assessment formulations can be used (even user defined) and compared to assess risk.

regards, Marco

Sent from my iPad

On 23 Aug 2013, at 03:19, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:

> Rick,
> On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
> <rick.mitchell at bell.ca> wrote:
>> Hi Christian, thanks for pointing that out. I can definitely see the argument for CVSS (or CVSS'ish) score for Web App Vulns. The only thing that I might say against it is that while there is meant to be a temporal aspect to things I haven't really seen any CVSS scores adjusted over time. Further while this aspect is meant to be from discovery to exploit web app assessment would almost always end up on the exploit end of the scale. Because, If I've identified a XSS in someone's app then it's been exploited.
> CVSS is intended to provide a holistic approach in the priorities the
> implementation of a patch and/or workaround of  vulnerabilities within
> binary/bytecode (non web) applications,  Operating Systems, networks
> in addition to web applications.
> On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
> <rick.mitchell at bell.ca> wrote:
>> We should also keep in mind that work has been done in adapting the OSSTMM and its metrics for use in web app assessments.
>> http://seclists.org/webappsec/2010/q3/49
>> https://twitter.com/isecom/statuses/167973076301135872
> OSSTMM is *not* developed in a transparent manner (i.e. closed source)
> and this is demonstrated by
> https://twitter.com/isecom/statuses/167973076301135872 i.e. there is
> not public link within this tweet.
> Furthermore, there are no web application security related published
> bodies of work from http://www.isecom.org/team.html that are published
> outside of ISECOM that I am aware of (I would welcome references that
> prove this assumption is incorrect).
> On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
> <rick.mitchell at bell.ca> wrote:
>> Anyway, while that's still up in the air I'd like to do something with the existing wiki. Even if that is only to reverse the previous edit which sparked this thread. I'm was just really hoping that a few people would chime in with black or white (agreement or disagreement) on the topic.
> I can't agree that this would be a good use of your time due to the
> imminent  release of CVSSv3 vs your expect outcome for the OWASP Risk
> Rating Methodology.  Rather, it is more advantageous for OWASP to
> deprecate this as other bodies of work related to risk management have
> improved significantly overtime with multiple releases.
> -- 
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

More information about the Owasp-testing mailing list