[Owasp-topten] 2010 RC - Severity != Risk
christian.heinrich at owasp.org
Wed Dec 30 03:15:26 EST 2009
The agenda for focusing on severity and not residual risk is that the
greater application community (incorrectly) considers the previous
releases of the OWASP Top Ten to represent the most severe and not
most common e.g. the recent quote from Facebook i.e.
these vulnerabilities represent the most serious security issues that
may ***IMPACT*** [emphasis added] your Facebook application."
On Tue, Dec 29, 2009 at 10:16 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:
> OK. So the Top 10 - 2010 RC1 is focused on Risk, and your comment that it appears we are focusing on severity, per your definition below, does not seem to be correct to me, since we include 3 likelihood factors and 1 impact factor to calculate risk.
> So, I don't understand your original comment that it appears we are focusing on severity. And ignoring that, your request that we focus on severity, per your definition below, and thus ignore likelihood, doesn't seem to be a good idea to me at all, but I'm certainly interested in others opinions.
> To share a story, I just was working with a large banking client who also currently focuses only on impact (severity) and I advised them that they need to take likelihood into consideration because without it, they'll focus on many high impact items that are very unlikely, rather than focusing on those items that might have slightly less impact, but are very likely, resulting in higher actual risk to the organization.
> I think focusing only on severity, even if our calculation of likelihood is a bit subjective (which are based on our professional opinion and also based on vulnerability stats), would be a disservice to the audience we are trying to reach with the Top 10. And we are trying to be very clear that we do not know the threats that their particular systems face, nor the impacts to their business.
> -----Original Message-----
> From: owasp-topten-bounces at lists.owasp.org [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Christian Heinrich
> Sent: Monday, December 28, 2009 5:29 PM
> To: owasp-topten at lists.owasp.org
> Subject: Re: [Owasp-topten] 2010 RC - Severity != Risk
> The OWASP Risk Rating Methodology appears to be based on AS/NZS 4360
> with a number of additional metrics specific to webappsec.
> Based on 4360, "Severity" would be defined as "Impact" (based on your
> definition in your e-mail). It can also be referred to as "Damage
> My preferred method to express technical risk to the business is
> CVSSv2 as the fundamental issue with 4360 is the subjectivity of the
> likelihood and impact based on various perspectives (e.g. a different
> residual risk can be perceived by the Audit Committee to that of the
> Coincidentally, WASC has recently began to supplement their statistics
> with CVSSv2 Base Metrics (i.e. "Impact" or "Damage Consequence" or
> "Severity") only and hence have excluded the Temporal and
> Environmental Metrics (of CVSSv2).
> CVSSv2 has also been adopted by PCI SCC (considering their adoption of
> the OWASP Top Ten).
> On Tue, Dec 29, 2009 at 3:23 AM, Dave Wichers
> <dave.wichers at aspectsecurity.com> wrote:
>> What is your definition of severity? We have defined risk as likelihood
>> times impact and acknowledged that there are factors of both we can't
>> measure in your environment. However we think this is still risk.
> Christian Heinrich - http://sn.im/cmlh_linkedin_profile
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule
More information about the Owasp-topten