[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Marco Morana marco.m.morana at gmail.com
Sun Aug 25 08:34:20 UTC 2013


I initiated an email topic on this with Josh Sokol since he was the one that first reviewed the OWAASP risk methodology, found some flaws and suggested the changes. I personally like the methodology because of the choice of risk factors for probability of threat agents and vulnerabilities and for technical and business impact. This forces a risk manager to think about these factors for scoring risk. What I think need to be revised in the current methodology is the lack of context so cannot be misused. In the hand of a risk assessor with no technical and business context of these factors, the OWASP risk methodology can produce incorrect ratings since data can be entered that can cancel out factors in contradiction on each other (e.g. low threat agent skill level vs. low ease of exploit, loss of confidentiality  vs. non impact of privacy and no financial impact).  Also as per Josh point, the weighting averages should be given in a way not to cancel important factors. I personally think too that the weight factors of threat, vulnerability, technical impact and business impact separately otherwise we have same price for everything that we put in the grocery bag, apples and oranges, discounting that oranges (e.g. confidentiality), sorry got use to these analogies with my wife to simplify what I mean ..:)

My plan is to get this (as contributor of the testing guide) and work with Josh Sokol  to a set of proposal for changes and propose them include them in the next release. How does it sounds? 

I think after we agree on these changes, it will be also nice to put the OWASP risk methodology in online risk calculator with proper calculation of averages and set of contextual constraints (pivots on conditions of vulnerabilities and technical impact and greyed selections to avoid contradictions)   

For the time being, I think we should recommend the use of standard like CVSS vs2 to check the two ratings and also make sure who assign the risk values is an expert risk manager with clear understanding on the context of what is entering otherwise need to consult with one that does.

p.s. sorry for Tom I was referring to Tom Brennan, copied herein in the conversation. 



Sent from my iPad

On 25 Aug 2013, at 01:58, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:

> Marco,
> On Sat, Aug 24, 2013 at 4:46 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
>> Christian, thanks for the correction in regarding CVSS origins. I think my
>> confusion is from the fact that Steve Christey, of the MITRE Corporation,
>> who edits Common Vulnerabilities and Exposures (CVE) is also member of FIRST
>> but indeed this is not MITRE's child, CVE is, my fault.
> This error is not uncommon and due to their reading of "V" and "W" too
> i.e. CVE and CWE
> Also, the NVD is hosted within NIST not MITRE i.e.
> http://nvd.nist.gov/ and NIST list their respective CVSSv2 Metrics
> against their CVE entries.
> On Sat, Aug 24, 2013 at 4:46 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
>> I do not have a view on the other points you are making but I do not agree
>> the OWASP risk methodology is "flawed" so it can be rejected entirely. I am
>> in favor of a revision same as CVSS had revisions as well. In my opinion, I
>> believe in "increased maturity through continuous improvements". I also
>> think this discussion should be brought up to the people that are mentioned
>> in this email so they can excise their opinion and we can have a fair
>> discussion on this topic.
> I attempted to update the OWASP Risk Rating Methodology around the
> release of the OWASP Testing Guide v3 and the OWASP Top Ten dated
> 2010.  My proposal also included making the RIsk Rating Methodology
> independent from the Testing Guide.  This was resisted the project
> leader (of the OWASP Testing Guide who I have deliberately not named)
> at the time and I suspect it was due to Aspect Security dominance of
> the OWASP Board.
> Several former employees of Aspect Security have also taken subsequent
> action to block their (Aspect Security's) further commercial
> exploitation of OWASP, such as Jim Manico and
> http://lists.owasp.org/pipermail/owasp-board/2013-March/011679.html
> are his comments related to the OWASP Risk Rating Methodology.
> I fail to see the advantage in attempting to catch up as OWASP has
> lost its leadership position within several areas of Web Application
> Security with other parties that have more mature risk management and
> associated vulnerability patch and/or workaround frameworks.
> Furthermore, these other parties have no resisted the inclusion of
> external contributions as OWASP has in the past.
> If you are interested in contributing to CVSSv3 then I can facilitate
> an introduction to Seth for you?
> On Sat, Aug 24, 2013 at 4:46 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
>> I am copying Tom if he things this discussion should be brought to a larger
>> group including the authors of the OWASP risk methodology  :)
> I am not sure which "Tom" which you are referring too and neither is a
> Tom listed within
> https://www.owasp.org/index.php?title=OWASP_Risk_Rating_Methodology&action=history.
> That stated I would advise against escalating this to the "Tom" who
> is the subject within
> http://lists.owasp.org/pipermail/owasp-board/2008-September/006845.html
> as it was Aspect Security that raised the objection in this specific
> instance (of 2008).
> -- 
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact

More information about the Owasp-testing mailing list