[Owasp-testing] Threat Agent Factors in OWASP Risk Rating Methodology
pichaya at ieee.org
Mon Jun 5 06:11:34 UTC 2017
It seems that the OWASP RMM formula is incorrect.
How technically skilled is this group of threat agents? Security
penetration skills (9), network and programming skills (6), advanced
computer user (5), some technical skills (3), no technical skills (1)"
If a vulnerability requires skilled threat actors.. that means it is
unlikely that the vulnerability can be exploited so the likelihood should
go down by the skill level factor.
In short, skill level = level of skills required to perform the attack.
9 Highly skilled required = low risk (1) because the flaw is limited by the
number of good attackers.
1 No technical skills required = high risk (9) since everyone can attack
the vulnerability... it is likely that the vulnerability will be exploited
at any given time.
You can't say that if the attacker is so good than the risk of
vulnerability will get higher because
1. We are talking about the risk of a particular vulnerability, not the
risk of a threat agent here.
2. Also, you cannot limit the skill of the attackers that could exploit the
vulnerability as well (but yes, the intranet users are probably not as good
as attackers from the internet?).
3. The skill level is a subsection of likelihood factor not impact factor !
Do not confuse impact of skill levels and possibility of being attacked by
the attacker with a given skill level.
I hope this will be fixed ASAP to make it more reasonable with the risk
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing