[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Jim Manico jim.manico at owasp.org
Mon Aug 26 10:45:48 UTC 2013

Hey now, the OWASP Risk Rating is a good start and possibly even a
good framework. It just needs an update. I also think that if you use
"highest impact" instead of the "average impact" the numbers fall out

As for project sponsorship issues, we desperately need better rules of
play that are consistent across all projects. We really do not have
that right now.

The board is actively working on this and will submit a few proposals
for the membership community to vote on, and soon.

Jim Manico
(808) 652-3805

On Aug 26, 2013, at 10:22 AM, Christian Heinrich
<christian.heinrich at cmlh.id.au> wrote:

> Marco,
> The intended audience for risk management aren't interested in threat
> model or the "technicality" of a vulnerability, rather their
> expectation is how the business manages risk outside of technology.
> Hence, the OWASP Risk Rating Methodology would confuse risk managers
> too and the reason for the simplistic approach of ISO 31000.
> To dispel the myth that this is another OWASP effort which does not
> contribute anything to webappsec I would recommend that you provide
> the additional value that the OWASP Risk Rating Methodology  would
> provide above ISO 31000 and CVSS?
> Otherwise Josh would have a perceived conflict of interest as the
> ulterior motive identified would be to promote
> https://code.google.com/p/simplerisk/ while providing no actual value
> to webappsec.  I don't believe this to be the case because I have seen
> many examples of Josh highlighting "vendor neutrality" as he outlined
> within https://www.owasp.org/index.php/2013_Board_Elections but once
> accused of this the damage is already done.
> I still recommend that the OWASP Risk Rating Methodology is
> independent of the Testing Guide since this poor contribution from
> Aspect Security is them attempting to promote themselves within the
> Testing Guide itself without contributing anything of value i.e.
> http://lists.owasp.org/pipermail/owasp-board/2013-March/011679.html
> (FYI Jim Manico is a former employee of Aspect Security and therefore
> has "insider" knowledge of their poor business practices).
> Also, quoting Tom Brennan as supporting your cause is actually
> detrimental since his support for any initiative is based on the
> undisputed fact that there is a benefit to him and/or his employer at
> the time which has harmed the OWASP brand several times over without
> correction i.e.
> http://lists.owasp.org/pipermail/owasp-board/2008-September/006845.html
> and as a follow on the comments within
> http://taosecurity.blogspot.com.au/2010/06/publicly-traded-companies-read-this.html
> to the most recent incident being
> http://lists.owasp.org/pipermail/owasp-board/2013-July/012175.html
> In conclusion, can you provide the additional value that the OWASP
> Risk Rating Methodology would provide above ISO 31000 and CVSS if it
> is not should it removed from the OWASP Testing Guide and marked as
> aborted?
> On Sun, Aug 25, 2013 at 6:34 PM, Marco Morana <marco.m.morana at gmail.com> wrote:
>> I initiated an email topic on this with Josh Sokol since he was the one that first reviewed the OWAASP risk methodology, found some flaws and suggested the changes. I personally like the methodology because of the choice of risk factors for probability of threat agents and vulnerabilities and for technical and business impact. This forces a risk manager to think about these factors for scoring risk. What I think need to be revised in the current methodology is the lack of context so cannot be misused. In the hand of a risk assessor with no technical and business context of these factors, the OWASP risk methodology can produce incorrect ratings since data can be entered that can cancel out factors in contradiction on each other (e.g. low threat agent skill level vs. low ease of exploit, loss of confidentiality  vs. non impact of privacy and no financial impact).  Also as per Josh point, the weighting averages should be given in a way not to cancel important factors. I perso!
> nally think too that the weight factors of threat, vulnerability, technical impact and business impact separately otherwise we have same price for everything that we put in the grocery bag, apples and oranges, discounting that oranges (e.g. confidentiality), sorry got use to these analogies with my wife to simplify what I mean ..:)
>> My plan is to get this (as contributor of the testing guide) and work with Josh Sokol  to a set of proposal for changes and propose them include them in the next release. How does it sounds?
>> I think after we agree on these changes, it will be also nice to put the OWASP risk methodology in online risk calculator with proper calculation of averages and set of contextual constraints (pivots on conditions of vulnerabilities and technical impact and greyed selections to avoid contradictions)
>> For the time being, I think we should recommend the use of standard like CVSS vs2 to check the two ratings and also make sure who assign the risk values is an expert risk manager with clear understanding on the context of what is entering otherwise need to consult with one that does.
>> p.s. sorry for Tom I was referring to Tom Brennan, copied herein in the conversation.
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

More information about the Owasp-testing mailing list