[Owasp-topten] 2010 RC - Severity != Risk

Dave Wichers dave.wichers at aspectsecurity.com
Mon Dec 28 18:16:37 EST 2009

OK. So the Top 10 - 2010 RC1 is focused on Risk, and your comment that it appears we are focusing on severity, per your definition below, does not seem to be correct to me, since we include 3 likelihood factors and 1 impact factor to calculate risk.

So, I don't understand your original comment that it appears we are focusing on severity. And ignoring that, your request that we focus on severity, per your definition below, and thus ignore likelihood, doesn't seem to be a good idea to me at all, but I'm certainly interested in others opinions.

To share a story, I just was working with a large banking client who also currently focuses only on impact (severity) and I advised them that they need to take likelihood into consideration because without it, they'll focus on many high impact items that are very unlikely, rather than focusing on those items that might have slightly less impact, but are very likely, resulting in higher actual risk to the organization.

I think focusing only on severity, even if our calculation of likelihood is a bit subjective (which are based on our professional opinion and also based on vulnerability stats), would be a disservice to the audience we are trying to reach with the Top 10. And we are trying to be very clear that we do not know the threats that their particular systems face, nor the impacts to their business.


-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Christian Heinrich
Sent: Monday, December 28, 2009 5:29 PM
To: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] 2010 RC - Severity != Risk


The OWASP Risk Rating Methodology appears to be based on AS/NZS 4360
with a number of additional metrics specific to webappsec.

Based on 4360, "Severity" would be defined as "Impact" (based on your
definition in your e-mail).  It can also be referred to as "Damage

My preferred method to express technical risk to the business is
CVSSv2 as the fundamental issue with 4360 is the subjectivity of the
likelihood and impact based on various perspectives (e.g. a different
residual risk can be perceived by the Audit Committee to that of the

Coincidentally, WASC has recently began to supplement their statistics
with CVSSv2 Base Metrics (i.e. "Impact" or "Damage Consequence" or
"Severity") only and hence have excluded the Temporal and
Environmental Metrics (of CVSSv2).

CVSSv2 has also been adopted by PCI SCC (considering their adoption of
the OWASP Top Ten).

On Tue, Dec 29, 2009 at 3:23 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:
> What is your definition of severity? We have defined risk as likelihood
> times impact and acknowledged that there are factors of both we can't
> measure in your environment.  However we think this is still risk.
> Dave

Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list