[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

rick.mitchell at bell.ca rick.mitchell at bell.ca
Tue Aug 27 12:16:08 UTC 2013

Hi Christian, to your last point I have considered this. However rating skill (i.e.: experience and training) based on things like "beginners' luck" or "accidents" doesn't really fit the model. 

While an unskilled individual may through bungling discover a DoS vuln etc I would expect a skilled individual to find the same and likely be able to leverage it to greater effect.

Therefore it seems logical to revert the edit which reversed the Threat Agent Skill ratings. As seems to have been agreed upon by various replies on the mailing list and discussions outside of the mailing list. I'll wait a day or two for further feedback and then make the edit.

There is no bias issue, as:
1) I was raising this as a community issue.
2) This is all documented publically.
3) I provide elements (such as severity (worst case), likelihood, exploitability, remediation effort [all from my team's point of view or experience]) which might feed into a client's risk assessment or calculation but I'm not responsible for such assessment or calculation, nor are the elements I provide the only basis for such assessments or calculations.


-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au] 
Sent: August 23, 2013 10:23 PM
To: Mitchell, Rick (6030318)
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Are the Risk Rating Wiki Pages Broken?


On Fri, Aug 23, 2013 at 11:16 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> Hi Christian, I think we're all in agreement that the current methodology could be replaced or improved. I'm just looking for a quick fix (i.e. I can do it in mere seconds....there is no concern about it taking time) to address a client concern and what seems like an obvious mistake.

Since the issue was raised by your client I would recommend that
someone independent of you and your client perform the change on the
wiki otherwise the change will appear bias.

On Fri, Aug 23, 2013 at 11:16 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> Even if CVSSv3 is out tomorrow (I suspect imminent for it actually means sometime this year...maybe), OWASP isn't going to adopt it the day after (even if we've established here that we should or could), and even further out is adoption by users/companies/organizations that currently leverage OWASP material.

CVSSv3 is supported by an extensive list of stakeholders i.e.
http://www.first.org/cvss/eadopters, http://www.first.org/cvss/team
and  scroll down to the "Announcing the CVSS Special Interest Group
for CVSS v3 Development" section on
http://www.first.org/cvss/v3/development too.

That stated, this is the first instance I have known of where someone
other than Aspect Security has adopted their flawed risk rating
methodology :)  I'll assume that this was a copy paste from an OWASP
Top Ten finding?

On Fri, Aug 23, 2013 at 11:16 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> So to the original point of this thread:
> Do people agree or disagree that the current threat agent skill definition is backwards and that the edit (https://www.owasp.org/index.php?title=OWASP_Risk_Rating_Methodology&diff=133450&oldid=122921) should be reversed?

Logically I don't disagree with you change but there may have been a
caveat that you may not have considered (and might have been the
original intent of this anomaly) i.e. that is an unskilled threat
agent is more dangerous (since they make more unintended mistakes)
than those who are highly skilled.

BTW, I have no idea as to the reason behind for a "5th" value is
missing i.e. refer to the change note of Soroush Dalili for

Christian Heinrich


More information about the Owasp-testing mailing list