[OWASP-Security101] Vulnerability vs Threat

Jim Manico jim.manico at owasp.org
Wed Apr 11 12:10:25 UTC 2012


Threat as probability is defined by PCI and other standards (ie: "possible
danger" in your description below).

Jason, do you differentiate "threat" and "threat agent"? By your
definition below you do not seem to.

--
Jim Manico
(808) 652-3805

On Apr 10, 2012, at 11:38 PM, Jason Li <jason.li at owasp.org> wrote:

> I disagree here Jim on the term "threat".
>
> A threat is a possible danger to the system regardless of likelihood or probability.
>
> Think about the omnipresent terrorist "threat" or a phoned in bomb "threat". These are possibilities. Likewise, a flood or earthquake can "threaten" the availability of a server farm. Regardless of how likely any of these events are, they are still "threats".
>
> Brian's analogy is a good one - the threat agent is the thief and that threat exists whether you're in a high crime area or a low crime area.
>
> Likelihood enters the discussion when an organization does a risk analysis to determine what threats need to be addressed and/or prioritized.
>
> To me, a vulnerability is a specific weakness in a system (e.g. The open front door) and a threat is an actor (whether individual, group, or act of God) that can take advantage of a vulnerability.
>
> -Jason
>
> On Apr 10, 2012, at 5:56 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Threat implies probability - so threat is the •probability or
>> likelihood• that a weakness will be successfully exploited.
>>
>> --
>> Jim Manico
>> VP, Security Architecture
>> WhiteHat Security
>> (808) 652-3805
>>
>> On Apr 10, 2012, at 4:15 PM, Brian Luteran
>> <Brian.Luteran at synchronoss.com> wrote:
>>
>>> Think of a vulnerability like an open door and a threat to that open door is a thief going through it to steal something.
>>>
>>> ~Brian
>>> -----Original Message-----
>>> From: security101-bounces at lists.owasp.org [mailto:security101-bounces at lists.owasp.org] On Behalf Of Zaki Akhmad
>>> Sent: Tuesday, April 10, 2012 2:31 AM
>>> To: OWASP Security 101
>>> Subject: [OWASP-Security101] Vulnerability vs Threat
>>>
>>> Hi lists,
>>>
>>> Are there any idea, how to easily explain the difference between
>>> vulnerability and threat? Using example or analogy?
>>>
>>> Sometime I still found quite difficult to distinguish between these two terms.
>>>
>>> Regards,
>>>
>>> --
>>> Zaki Akhmad
>>> _______________________________________________
>>> Security101 mailing list
>>> Security101 at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/security101
>>> List Run By OWASP
>>> List Admin: Michael.Coates at owasp.org
>>> _______________________________________________
>>> Security101 mailing list
>>> Security101 at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/security101
>>> List Run By OWASP
>>> List Admin: Michael.Coates at owasp.org
>> _______________________________________________
>> Security101 mailing list
>> Security101 at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/security101
>> List Run By OWASP
>> List Admin: Michael.Coates at owasp.org


More information about the Security101 mailing list