[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Marco Morana marco.m.morana at gmail.com
Mon Aug 26 16:48:14 UTC 2013


Not sure want to enter in philosophical discussions about OWASP does Appsec not risk management. I believe that vulnerability risk management is in essence technical risk management and application security is integral part of it since an application is an asset whose confidentiality, integrity and availability risks as inherent of the data assets or introduced by the presence of vulnerabilities need to be risk assessed and managed as other organization assets.

To bring the discussion to where it started, I think we can put our brains and expertise to improve the OWASP risk methodology with little changes, putting the right averages and constraints.  So if this is what we would like to do you have my help as member of OWASP organization



P.S. Can you elaborate how OWASP risk management methodology can be positively influenced by ISO 31000. Does the ISO 31000 provides a framework for managing risks ? So 31000 can be a guidance for assessing and managing risk but not specifically for calculating the factors of risk for threat agents, vulnerabilities, technical impact and business impact as the OWASP risk formula does. Are you saying that we should provide a framework and not a risk calculation formula?

Sent from my iPad

On 26 Aug 2013, at 16:43, Andrew Muller <andrew at ionize.com.au> wrote:

> Great discussion :)
> Originally my thoughts concerning the inclusion of the OWASP Risk Rating Methodology in the Testing Guide aligned with Christian (i.e. OWASP does appsec, not risk). However, it may be prudent to "harmonize" the Methodology with 31000 or 27005 in much the same way that 2011 revision of 27005 was intended to align with 31000. Rather than regurgitate 31000 within an appsec context, I suggest OWASP provide domain knowledge to aid a risk manager applying 31000/27005 assess the risk of an application vulnerability (as per Christian's SQL example below). Nothing verbose, just points for evaluating threats, vulnerability severity, remediation, etc, that could be used as an annex to 31000 or 27005. 
> I still believe that OWASP's mission is appsec, not risk management, but we should provide guidance to risk professionals who find themselves in our domain. 
> Andrew
> From: "Marco Morana" <marco.m.morana at gmail.com>
> To: "Christian Heinrich" <christian.heinrich at cmlh.id.au>
> Cc: "Thomas Brennan" <TBrennan at trustwave.com>, owasp-testing at lists.owasp.org
> Sent: Monday, 26 August, 2013 10:42:41 PM
> Subject: Re: [Owasp-testing] Are the Risk Rating Wiki Pages Broken?
> Christian, it looks you are going solo on throwing baby and bath water... also you keep discounting other peoples contributions and point of views on this. Please exercise restraint and consider other peoples point of views, you are not helping the discussion, sorry very disappointed.Cheers Marco
> Sent from my iPad
> On 26 Aug 2013, at 12:11, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:
> > Jim,
> > 
> > "... For example, a SQL injection problem is frequently CRITICAL, but
> > it might also be a LOW risk finding if the database is already public
> > and only an administrator could possibly exploit the flaw. ..."  to
> > quote page 7 of
> > https://www.aspectsecurity.com/uploads/downloads/2013/06/Aspect-2013-Global-AppSec-Risk-Report.pdf.
> > I can understand that risk manager might not comprehend technology
> > but even they have agreed with me that quote is the worst calculation
> > of inherent and residual risk that has ever been published.
> > 
> > Until I see what additional value that the OWASP Risk Rating
> > Methodology would provide above ISO 31000 and CVSS then it neither a
> > good start or framework for that matter.  Hence it should it removed
> > from the OWASP Testing Guide (since it taints what is otherwise good
> > work within the Testing Guide) and marked as aborted.
> > 
> > On Mon, Aug 26, 2013 at 8:45 PM, Jim Manico <jim.manico at owasp.org> wrote:
> >> Hey now, the OWASP Risk Rating is a good start and possibly even a
> >> good framework. It just needs an update. I also think that if you use
> >> "highest impact" instead of the "average impact" the numbers fall out
> >> better.
> >> 
> >> As for project sponsorship issues, we desperately need better rules of
> >> play that are consistent across all projects. We really do not have
> >> that right now.
> >> 
> >> The board is actively working on this and will submit a few proposals
> >> for the membership community to vote on, and soon.
> > 
> > 
> > -- 
> > Regards,
> > Christian Heinrich
> > 
> > http://cmlh.id.au/contact
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130826/7833ae84/attachment-0001.html>

More information about the Owasp-testing mailing list