[Owasp-topten] 2010 RC - Severity != Risk

Christian Heinrich christian.heinrich at owasp.org
Wed Dec 30 02:57:57 EST 2009


The core issue is that people (incorrectly) interchange the term
"risk" to express "severity" and a number of examples of this can be
observed security advisories published by vendors.  I have frequently
corrected this misinterpretation by clarifying the likelihood to
calculate the residual risk.  CVSS does attempt to correct this.

Note that I used "residual risk" *not* "risk" as "residual risk" is
consideration of the "severity", "likelihood" and the politics of the
specific environment (e.g. mitigation, "politics", etc) - hence

The counterpoints that conclude that likelihood is the greatest factor
in reducing residual risk even in the event that the "severity" is
1.  It is a static value at a specific point in time (i.e. 4360) and
hence would have not considered the rise and fall of likelihood over
time (i.e. CVSS).
2. The likelihood of you exploiting the webappsec vulnerability is
different to that of the client due to either their level of expertise
or special circumstances, such as turning of a WAF during the
engagement.  Hence, there can be two likelihood values at either end
of the bell curve based on aspect - pun intended :)

I am not sure of the specific context of "likelihood" in your example
but I would assume that the politics of your contact within the bank
of focusing on "severity" and not residual risk was that the residual
risk of webappsec is considered a low risk under their overall
operational risk register and therefore acceptable to the business.

The example I would have used is why is
http://ha.ckers.org/blog/20091114/owasp-appsecdc-top-10-changes/ a
high risk to Google and I will give you a hint, its not, but the
likelihood has increased due to the announcement of the RC :).
Furthermore, this has also been the conclusion drawn by other end
users (i.e. your target audience) (i.e. not consultants and/or
vendors) when I presented the example from the AppSecDC slides at the
OWASP Melbourne (Australia) Chapter recently.

On Tue, Dec 29, 2009 at 10:16 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:
> OK. So the Top 10 - 2010 RC1 is focused on Risk, and your comment that it appears we are focusing on severity, per your definition below, does not seem to be correct to me, since we include 3 likelihood factors and 1 impact factor to calculate risk.
> So, I don't understand your original comment that it appears we are focusing on severity. And ignoring that, your request that we focus on severity, per your definition below, and thus ignore likelihood, doesn't seem to be a good idea to me at all, but I'm certainly interested in others opinions.
> To share a story, I just was working with a large banking client who also currently focuses only on impact (severity) and I advised them that they need to take likelihood into consideration because without it, they'll focus on many high impact items that are very unlikely, rather than focusing on those items that might have slightly less impact, but are very likely, resulting in higher actual risk to the organization.
> I think focusing only on severity, even if our calculation of likelihood is a bit subjective (which are based on our professional opinion and also based on vulnerability stats), would be a disservice to the audience we are trying to reach with the Top 10. And we are trying to be very clear that we do not know the threats that their particular systems face, nor the impacts to their business.
> Dave

Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule

More information about the Owasp-topten mailing list