[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Andrew Muller andrew at ionize.com.au
Mon Aug 26 15:43:01 UTC 2013

Great discussion :) 

Originally my thoughts concerning the inclusion of the OWASP Risk Rating Methodology in the Testing Guide aligned with Christian (i.e. OWASP does appsec, not risk). However, it may be prudent to "harmonize" the Methodology with 31000 or 27005 in much the same way that 2011 revision of 27005 was intended to align with 31000. Rather than regurgitate 31000 within an appsec context, I suggest OWASP provide domain knowledge to aid a risk manager applying 31000/27005 assess the risk of an application vulnerability (as per Christian's SQL example below). Nothing verbose, just points for evaluating threats, vulnerability severity, remediation, etc, that could be used as an annex to 31000 or 27005. 

I still believe that OWASP's mission is appsec, not risk management, but we should provide guidance to risk professionals who find themselves in our domain. 


----- Original Message -----

From: "Marco Morana" <marco.m.morana at gmail.com> 
To: "Christian Heinrich" <christian.heinrich at cmlh.id.au> 
Cc: "Thomas Brennan" <TBrennan at trustwave.com>, owasp-testing at lists.owasp.org 
Sent: Monday, 26 August, 2013 10:42:41 PM 
Subject: Re: [Owasp-testing] Are the Risk Rating Wiki Pages Broken? 

Christian, it looks you are going solo on throwing baby and bath water... also you keep discounting other peoples contributions and point of views on this. Please exercise restraint and consider other peoples point of views, you are not helping the discussion, sorry very disappointed.Cheers Marco 

Sent from my iPad 

On 26 Aug 2013, at 12:11, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote: 

> Jim, 
> "... For example, a SQL injection problem is frequently CRITICAL, but 
> it might also be a LOW risk finding if the database is already public 
> and only an administrator could possibly exploit the flaw. ..." to 
> quote page 7 of 
> https://www.aspectsecurity.com/uploads/downloads/2013/06/Aspect-2013-Global-AppSec-Risk-Report.pdf. 
> I can understand that risk manager might not comprehend technology 
> but even they have agreed with me that quote is the worst calculation 
> of inherent and residual risk that has ever been published. 
> Until I see what additional value that the OWASP Risk Rating 
> Methodology would provide above ISO 31000 and CVSS then it neither a 
> good start or framework for that matter. Hence it should it removed 
> from the OWASP Testing Guide (since it taints what is otherwise good 
> work within the Testing Guide) and marked as aborted. 
> On Mon, Aug 26, 2013 at 8:45 PM, Jim Manico <jim.manico at owasp.org> wrote: 
>> Hey now, the OWASP Risk Rating is a good start and possibly even a 
>> good framework. It just needs an update. I also think that if you use 
>> "highest impact" instead of the "average impact" the numbers fall out 
>> better. 
>> As for project sponsorship issues, we desperately need better rules of 
>> play that are consistent across all projects. We really do not have 
>> that right now. 
>> The board is actively working on this and will submit a few proposals 
>> for the membership community to vote on, and soon. 
> -- 
> Regards, 
> Christian Heinrich 
> http://cmlh.id.au/contact 
Owasp-testing mailing list 
Owasp-testing at lists.owasp.org 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130827/fa31bbde/attachment.html>

More information about the Owasp-testing mailing list