[Owasp-testing] Risk Rating and Accountability

Tony Turner tony.turner at owasp.org
Fri Mar 1 01:34:36 UTC 2019


That’s my quandary. I can certainly think of scenarios where a complete compromise of integrity or availability or confidentiality could create more consequences than a partial of all 3. But I agree on the resolution. 

Unfortunately in this instance, all threats are external for this use case so accountability as you describe doesn’t help us. Would wind up being a placeholder value for technical impact 4th calculation and may as well just average the 3. I played with the idea of evaluating detection controls in the environment and using a score there to infer whether attribution was likely. Low maturity for a related asset = 9 while world class might be a 1 or 2. Can’t think of any way you would ever get a 0 without non-repudiation. 

Tony Turner | OWASP Orlando Chapter Lead

> On Feb 28, 2019, at 1:47 PM, Benjamin Robinson <benjamin.robinson at gmail.com> wrote:
> 
> Tony,
> 
> The methodology does specify using an average. Using max would probably reduce the resolution; you would like be biasing towards all high risks which may be a bit too alarmist and does not assist with managing risks.
> 
> Accountability is difficult. Attribution is often not possible so it may be a weak factor for your use case. We typically use this as 'was it an insider or an outsider?' Not all of the factors will be considered equal for your organization, so I think tailoring it to best suit your needs and risk tolerance is the best option to ensure that you are standing up something that gets adopted and helps.
> 
>> On Wed, Feb 27, 2019 at 6:32 AM Tony Turner <tony.turner at owasp.org> wrote:
>> How are you evaluating Accountability for Technical Impact?
>> 
>> I see the formula, but right now what I'm doing is using a taxonomy for asset type where I define a security requirement for CIA and then decrement that value by full/partial/none in CIA impacts for CVSS so a full keeps the requirement value (say a 9 for finance server C score) where a none decrements that down to 0. 
>> 
>> There are 2 issues with this approach, should i avg or max these 3 scores? An avg might drop the CIA overall risk down to . 3 while reduces the entire aggregate score, while a max would keep this at a 9. However that also means 3 9's evaluates the same as 1 9 which isn't great either. 
>> 
>> And how do to best evaluate accountability? That's not something I can easily extract from NVD data set.
>> 
>> 
>> 
>> -- 
>> Tony Turner
>> OWASP Orlando Chapter Founder/Co-Leader
>> WAFEC Project Leader
>> tony.turner at owasp.org
>> https://www.owasp.org/index.php/Orlando
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20190228/997d0b86/attachment.html>


More information about the Owasp-testing mailing list