[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Sat Aug 24 01:00:59 UTC 2013


On Fri, Aug 23, 2013 at 6:33 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
> I am favor of endorsing MITRE's CVSS since this is almost widely accepted industry standard for vulnerability risk scoring. Nevertheless,  I think there is value in guiding users of the testing guide on the use of other qualitative risk assessment methodologies as a reference. Based upon my experience, organizations do not just rely on CVSS for vulnerability risk management but to their risk management process and acceptable risk levels. I think keeping the current OWASP risk scoring has value for comparison and can be corrected for the risk factors of threats vs risk factors of vulnerabilities (discussion on threat agent skills) and overall weight calculation formula as well as for covering at least five levels instead of three (H,M,L). The comparison between CVSS and OWASP risk rating can also be used as benchmark and to highlight that ultimately there is no one best risk methodology but consistent assessment of risk using different criteria.

CVSS is published by FIRST not MITRE.

ISO 31000 is the preferred risk management standard and is based on
the Australian Standard 4360 (published in 2004).  The most common
implementation of ISO 31000 to interoperate with CVSS is to insert a
single risk item related to technical vulnerabilities on the risk
registry (since the intended audience is the board of the respective

and several other examples, prove beyond a reasonable doubt that
Aspect Security have leveraged the flawed OWASP Risk Rating for their
own commercial vested interests.

Furthermore the OWASP Risk Rating Methodology is not cited by
i.e. the OWASP Risk Rating Methodology cites Threat Modelling (and
this wiki page) too.

On Fri, Aug 23, 2013 at 6:33 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
> One approach I like to educate users on how to assess risk is Josh's SimpleRisk tool where different risk assessment formulations can be used (even user defined) and compared to assess risk.

I have not used https://code.google.com/p/simplerisk/ but Josh does
have an excellent understanding of managing business risk i.e.
http://lists.owasp.org/pipermail/owasp-board/2013-May/011954.html (to
reuse my OWASP Top Ten example above).

Compare this to the ongoing mess that Jeff Williams created when he
appointed Dinis Cruz to the OWASP Board e.g.

Christian Heinrich


More information about the Owasp-testing mailing list