[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Mon Aug 26 02:20:35 UTC 2013


Marco,

The intended audience for risk management aren't interested in threat
model or the "technicality" of a vulnerability, rather their
expectation is how the business manages risk outside of technology.
Hence, the OWASP Risk Rating Methodology would confuse risk managers
too and the reason for the simplistic approach of ISO 31000.

To dispel the myth that this is another OWASP effort which does not
contribute anything to webappsec I would recommend that you provide
the additional value that the OWASP Risk Rating Methodology  would
provide above ISO 31000 and CVSS?

Otherwise Josh would have a perceived conflict of interest as the
ulterior motive identified would be to promote
https://code.google.com/p/simplerisk/ while providing no actual value
to webappsec.  I don't believe this to be the case because I have seen
many examples of Josh highlighting "vendor neutrality" as he outlined
within https://www.owasp.org/index.php/2013_Board_Elections but once
accused of this the damage is already done.

I still recommend that the OWASP Risk Rating Methodology is
independent of the Testing Guide since this poor contribution from
Aspect Security is them attempting to promote themselves within the
Testing Guide itself without contributing anything of value i.e.
http://lists.owasp.org/pipermail/owasp-board/2013-March/011679.html
(FYI Jim Manico is a former employee of Aspect Security and therefore
has "insider" knowledge of their poor business practices).

Also, quoting Tom Brennan as supporting your cause is actually
detrimental since his support for any initiative is based on the
undisputed fact that there is a benefit to him and/or his employer at
the time which has harmed the OWASP brand several times over without
correction i.e.
http://lists.owasp.org/pipermail/owasp-board/2008-September/006845.html
and as a follow on the comments within
http://taosecurity.blogspot.com.au/2010/06/publicly-traded-companies-read-this.html
to the most recent incident being
http://lists.owasp.org/pipermail/owasp-board/2013-July/012175.html

In conclusion, can you provide the additional value that the OWASP
Risk Rating Methodology would provide above ISO 31000 and CVSS if it
is not should it removed from the OWASP Testing Guide and marked as
aborted?

On Sun, Aug 25, 2013 at 6:34 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
> I initiated an email topic on this with Josh Sokol since he was the one that first reviewed the OWAASP risk methodology, found some flaws and suggested the changes. I personally like the methodology because of the choice of risk factors for probability of threat agents and vulnerabilities and for technical and business impact. This forces a risk manager to think about these factors for scoring risk. What I think need to be revised in the current methodology is the lack of context so cannot be misused. In the hand of a risk assessor with no technical and business context of these factors, the OWASP risk methodology can produce incorrect ratings since data can be entered that can cancel out factors in contradiction on each other (e.g. low threat agent skill level vs. low ease of exploit, loss of confidentiality  vs. non impact of privacy and no financial impact).  Also as per Josh point, the weighting averages should be given in a way not to cancel important factors. I personally think too that the weight factors of threat, vulnerability, technical impact and business impact separately otherwise we have same price for everything that we put in the grocery bag, apples and oranges, discounting that oranges (e.g. confidentiality), sorry got use to these analogies with my wife to simplify what I mean ..:)
>
> My plan is to get this (as contributor of the testing guide) and work with Josh Sokol  to a set of proposal for changes and propose them include them in the next release. How does it sounds?
>
> I think after we agree on these changes, it will be also nice to put the OWASP risk methodology in online risk calculator with proper calculation of averages and set of contextual constraints (pivots on conditions of vulnerabilities and technical impact and greyed selections to avoid contradictions)
>
> For the time being, I think we should recommend the use of standard like CVSS vs2 to check the two ratings and also make sure who assign the risk values is an expert risk manager with clear understanding on the context of what is entering otherwise need to consult with one that does.
>
> p.s. sorry for Tom I was referring to Tom Brennan, copied herein in the conversation.

-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-testing mailing list