[Owasp-testing] Threat Agent Factors in OWASP Risk Rating Methodology

Tushar Vartak tusharvartak at me.com
Thu Jun 8 05:36:22 UTC 2017

Fully Agree and support for removal. This has been the most painful area to debate in testing reports. 

Tushar Vartak
Sent with Airmail

On June 8, 2017 at 3:40:14 AM, Bernd Eckenfels (bernd-2017 at eckenfels.net) wrote:

Agreed. This is why I vote for removing it. There is still the Exploitability factor which would be high for in-the-wild worms or attack kits, medium for documented exploits with no exploits and low for zero days which require skilled attackers to discover it.


On Wed, Jun 7, 2017 at 3:13 PM +0200, "Dimitri Fousekis" <dimitri at bitcrack.net> wrote:

I’ve seen this cause problems in client reports and findings too.


My question always is - but what if the highly skilled attacker creates an automated script that applies his skills to a medium-or-low skilled attacker?


The risk is still debatable in both cases because skill level is not a reliable constant we can use to measure the realization of such risk.


Before the days of Metasploit for example you could easily have classified 60% or more of its built-in attacks as “high skill level required” exploits. Now its taught to relatively new InfoSec candidates.



Twitter: @bitcrack_cyber @rurapenthe0




From: <owasp-testing-bounces+dimitri=bitcrack.net at lists.owasp.org> on behalf of Louis Nadeau <Louis.Nadeau at bentley.com>
Date: Wednesday, June 7, 2017 at 3:00 PM
To: Pichaya Morimoto <pichaya at ieee.org>, "owasp-testing at lists.owasp.org" <owasp-testing at lists.owasp.org>
Subject: Re: [Owasp-testing] Threat Agent Factors in OWASP Risk Rating Methodology


Hi Pichaya,


There was a “flame war” about this in other mailing list last year. There was convincing argument on both sides regarding this. I agree with you though.




From: owasp-testing-bounces+louis.nadeau=bentley.com at lists.owasp.org [mailto:owasp-testing-bounces+louis.nadeau=bentley.com at lists.owasp.org] On Behalf Of Pichaya Morimoto
Sent: Monday, June 5, 2017 2:12 AM
To: owasp-testing at lists.owasp.org
Subject: [Owasp-testing] Threat Agent Factors in OWASP Risk Rating Methodology


Hi guys,


It seems that the OWASP RMM formula is incorrect.


"Skill level

How technically skilled is this group of threat agents? Security penetration skills (9), network and programming skills (6), advanced computer user (5), some technical skills (3), no technical skills (1)"




If a vulnerability requires skilled threat actors.. that means it is unlikely that the vulnerability can be exploited so the likelihood should go down by the skill level factor.


In short, skill level = level of skills required to perform the attack. 


9 Highly skilled required = low risk (1) because the flaw is limited by the number of good attackers.

1 No technical skills required = high risk (9)  since everyone can attack the vulnerability... it is likely that the vulnerability will be exploited at any given time.


You can't say that if the attacker is so good than the risk of vulnerability will get higher because 

1. We are talking about the risk of a particular vulnerability, not the risk of a threat agent here.

2. Also, you cannot limit the skill of the attackers that could exploit the vulnerability as well (but yes, the intranet users are probably not as good as attackers from the internet?).

3. The skill level is a subsection of likelihood factor not impact factor ! Do not confuse impact of skill levels and possibility of being attacked by the attacker with a given skill level.


I hope this will be fixed ASAP to make it more reasonable with the risk rating scenarios.

Many thanks.

Disclaimer: Mauritius - The contents of this email are DC-2 Classified. All Other Countries - The information contained in this communication is intended solely for use by the individual or entity to whom it is addressed. It may contain proprietary material, confidential information and/or be subject to legal privilege. Use and/or distribution of this communication by others is prohibited. Bitcrack Group Mauritius Ltd (Bitcrack Cyber Security Pty Ltd) and it's subsidiaries are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication. Opinions, conclusions and other information on this message that do not relate to the official business of Bitcrack Group Ltd (Bitcrack Cyber Security) shall be understood as neither given nor endorsed by it.
Owasp-testing mailing list  
Owasp-testing at lists.owasp.org  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20170608/9d59d881/attachment.html>

More information about the Owasp-testing mailing list