[Owasp-testing] Are the Risk Rating Wiki Pages Broken? I happen to really like the Testing Guide Risk Rating Methodology

David Fern dfern at verizon.net
Mon Aug 26 11:56:17 UTC 2013


I happen to really like the Testing Guide Risk Rating Methodology
 
While it may be more simplistic than ISO 31000 and CVSS for the Testing Guide and its audience it is great.

In fact I believe that an organization starting out will be able to easily take the charts and concepts/methodology from this section and make a nice "results report".

Probably we need to include references to ISO 31000 and CVSS and start the methodology with some caveats and a broader theory with this methodology as the fact that this is an example. 

Any thoughts?

Thanks,
David
 

________________________________
 From: Christian Heinrich <christian.heinrich at cmlh.id.au>
To: Jim Manico <jim.manico at owasp.org> 
Cc: Thomas Brennan <TBrennan at trustwave.com>; "owasp-testing at lists.owasp.org" <owasp-testing at lists.owasp.org> 
Sent: Monday, August 26, 2013 7:11 AM
Subject: Re: [Owasp-testing] Are the Risk Rating Wiki Pages Broken?
  

Jim,

"... For example, a SQL injection problem is frequently CRITICAL, but
it might also be a LOW risk finding if the database is already public
and only an administrator could possibly exploit the flaw. ..."  to
quote page 7 of
https://www.aspectsecurity.com/uploads/downloads/2013/06/Aspect-2013-Global-AppSec-Risk-Report.pdf.
I can understand that risk manager might not comprehend technology
but even they have agreed with me that quote is the worst calculation
of inherent and residual risk that has ever been published.

Until I see what additional value that the OWASP Risk Rating
Methodology would provide above ISO 31000 and CVSS then it neither a
good start or framework for that matter.  Hence it should it removed
from the OWASP Testing Guide (since it taints what is otherwise good
work within the Testing Guide) and marked as aborted.

On Mon, Aug 26, 2013 at 8:45 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Hey now, the OWASP Risk Rating is a good start and possibly even a
> good framework. It just needs an update. I also think that if you use
> "highest impact" instead of the "average impact" the numbers fall out
> better.
>
> As for project sponsorship issues, we desperately need better rules of
> play that are consistent across all projects. We really do not have
> that right now.
>
> The board is actively working on this and will submit a few proposals
> for the membership community to vote on, and soon.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130826/ad605ada/attachment-0001.html>


More information about the Owasp-testing mailing list