[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Marco Morana marco.m.morana at gmail.com
Sat Aug 24 06:46:43 UTC 2013

Christian, thanks for the correction in regarding CVSS origins. I think my confusion is from the fact that Steve Christey, of the MITRE Corporation, who edits Common Vulnerabilities and Exposures (CVE) is also member of FIRST but indeed this is not MITRE's child, CVE is, my fault.

I do not have a view on the other points you are making but I do not agree the OWASP risk methodology is "flawed" so it can be rejected entirely. I am in favor of a revision same as CVSS had revisions as well. In my opinion, I believe in "increased maturity through continuous improvements". I also think this discussion should be brought up to the people that are mentioned in this email so they can excise their opinion and we can have a fair discussion on this topic.

I am copying Tom if he things this discussion should be brought to a larger group including the authors of the OWASP risk methodology  :)

cheers, Marco 

Sent from my iPad

On 24 Aug 2013, at 02:00, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:

> Marco,
> On Fri, Aug 23, 2013 at 6:33 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
>> I am favor of endorsing MITRE's CVSS since this is almost widely accepted industry standard for vulnerability risk scoring. Nevertheless,  I think there is value in guiding users of the testing guide on the use of other qualitative risk assessment methodologies as a reference. Based upon my experience, organizations do not just rely on CVSS for vulnerability risk management but to their risk management process and acceptable risk levels. I think keeping the current OWASP risk scoring has value for comparison and can be corrected for the risk factors of threats vs risk factors of vulnerabilities (discussion on threat agent skills) and overall weight calculation formula as well as for covering at least five levels instead of three (H,M,L). The comparison between CVSS and OWASP risk rating can also be used as benchmark and to highlight that ultimately there is no one best risk methodology but consistent assessment of risk using different criteria.
> CVSS is published by FIRST not MITRE.
> ISO 31000 is the preferred risk management standard and is based on
> the Australian Standard 4360 (published in 2004).  The most common
> implementation of ISO 31000 to interoperate with CVSS is to insert a
> single risk item related to technical vulnerabilities on the risk
> registry (since the intended audience is the board of the respective
> company).
> https://www.owasp.org/index.php/Issues_Concerning_The_OWASP_Top_Ten_2013,
> and several other examples, prove beyond a reasonable doubt that
> Aspect Security have leveraged the flawed OWASP Risk Rating for their
> own commercial vested interests.
> Furthermore the OWASP Risk Rating Methodology is not cited by
> https://www.owasp.org/index.php/Threat_Risk_Modeling#Alternative_Threat_Modeling_Systems
> i.e. the OWASP Risk Rating Methodology cites Threat Modelling (and
> this wiki page) too.
> On Fri, Aug 23, 2013 at 6:33 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
>> One approach I like to educate users on how to assess risk is Josh's SimpleRisk tool where different risk assessment formulations can be used (even user defined) and compared to assess risk.
> I have not used https://code.google.com/p/simplerisk/ but Josh does
> have an excellent understanding of managing business risk i.e.
> http://lists.owasp.org/pipermail/owasp-board/2013-May/011954.html (to
> reuse my OWASP Top Ten example above).
> Compare this to the ongoing mess that Jeff Williams created when he
> appointed Dinis Cruz to the OWASP Board e.g.
> http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html
> -- 
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130824/f95d2cb1/attachment-0001.html>

More information about the Owasp-testing mailing list