[Owasp-testing] Are the Risk Rating Wiki Pages Broken? I happen to really like the Testing Guide Risk Rating Methodology

Christian Heinrich christian.heinrich at cmlh.id.au
Fri Aug 30 01:58:36 UTC 2013


David,

ISO 31000 is much simpler to implement then the complexity of the
OWASP Risk Rating Methodology.

Furthermore, CVSS has already addressed the shortcoming of the OWASP
Risk Rating Methodology, such as the lack of independence and bias
shown in Aspect Security (its author's) own application of it:

1. CVSSv2 Base Scores are vetted by OSVDB and NIST independently of
each other i.e. the announcement from OSVDB was made within
https://lists.immunityinc.com/pipermail/dailydave/2013-August/date.html
but hasn't been reflected in the mail archive yet.

2. "... For example, a SQL injection problem is frequently CRITICAL,
but it might also be a LOW risk finding if the database is already
public and only an administrator could possibly exploit the flaw. ..."
 to quote page 7 of
https://www.aspectsecurity.com/uploads/downloads/2013/06/Aspect-2013-Global-AppSec-Risk-Report.pdf
is an incorrect determination of residual business risk.

3. The inclusion of A9 in the OWASP Top Ten 2013 to promote the
business interests of Sonatype based on bias and questionable research
conducted by Aspect Security on behalf of Sonatype i.e.
https://www.owasp.org/index.php/Issues_Concerning_The_OWASP_Top_Ten_2013

4. Aspect Security have caused catastrophic brand damage to OWASP by
failing to manage the business risk of OWASP Members grievances, such
as http://lists.owasp.org/pipermail/owasp-board/2013-March/011679.html,
http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html,
http://lists.owasp.org/pipermail/owasp-board/2013-August/012322.html,
etc.  Furthermore, some of these OWASP Members were  also employees of
Aspect Security but quit [Aspect Security] in disgust.

Therefore, my continued recommendation to OWASP has been to contribute
to CVSSv3.  I haven't identified any content from the OWASP Risk
Rating Methodology that has been addressed by CVSSv2 already but I
would welcome anyone to correct my understanding?


On Mon, Aug 26, 2013 at 9:56 PM, David Fern <dfern at verizon.net> wrote:
> I happen to really like the Testing Guide Risk Rating Methodology
>
> While it may be more simplistic than ISO 31000 and CVSS for the Testing
> Guide and its audience it is great.
>
> In fact I believe that an organization starting out will be able to easily
> take the charts and concepts/methodology from this section and make a nice
> "results report".
>
> Probably we need to include references to ISO 31000 and CVSS and start the
> methodology with some caveats and a broader theory with this methodology as
> the fact that this is an example.
>
> Any thoughts?
>
> Thanks,
> David
>
> From: Christian Heinrich <christian.heinrich at cmlh.id.au>
> To: Jim Manico <jim.manico at owasp.org>
> Cc: Thomas Brennan <TBrennan at trustwave.com>; "owasp-testing at lists.owasp.org"
> <owasp-testing at lists.owasp.org>
> Sent: Monday, August 26, 2013 7:11 AM
> Subject: Re: [Owasp-testing] Are the Risk Rating Wiki Pages Broken?
>
> Jim,
>
> "... For example, a SQL injection problem is frequently CRITICAL, but
> it might also be a LOW risk finding if the database is already public
> and only an administrator could possibly exploit the flaw. ..."  to
> quote page 7 of
> https://www.aspectsecurity.com/uploads/downloads/2013/06/Aspect-2013-Global-AppSec-Risk-Report.pdf.
> I can understand that risk manager might not comprehend technology
> but even they have agreed with me that quote is the worst calculation
> of inherent and residual risk that has ever been published.
>
> Until I see what additional value that the OWASP Risk Rating
> Methodology would provide above ISO 31000 and CVSS then it neither a
> good start or framework for that matter.  Hence it should it removed
> from the OWASP Testing Guide (since it taints what is otherwise good
> work within the Testing Guide) and marked as aborted.
>
> On Mon, Aug 26, 2013 at 8:45 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Hey now, the OWASP Risk Rating is a good start and possibly even a
>> good framework. It just needs an update. I also think that if you use
>> "highest impact" instead of the "average impact" the numbers fall out
>> better.
>>
>> As for project sponsorship issues, we desperately need better rules of
>> play that are consistent across all projects. We really do not have
>> that right now.
>>
>> The board is actively working on this and will submit a few proposals
>> for the membership community to vote on, and soon.
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>



-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-testing mailing list