[OWASP-Security101] Vulnerability vs Threat

Jason Li jason.li at owasp.org
Wed Apr 11 04:40:27 UTC 2012


I disagree here Jim on the term "threat".

A threat is a possible danger to the system regardless of likelihood or probability.

Think about the omnipresent terrorist "threat" or a phoned in bomb "threat". These are possibilities. Likewise, a flood or earthquake can "threaten" the availability of a server farm. Regardless of how likely any of these events are, they are still "threats".

Brian's analogy is a good one - the threat agent is the thief and that threat exists whether you're in a high crime area or a low crime area.

Likelihood enters the discussion when an organization does a risk analysis to determine what threats need to be addressed and/or prioritized.

To me, a vulnerability is a specific weakness in a system (e.g. The open front door) and a threat is an actor (whether individual, group, or act of God) that can take advantage of a vulnerability.

-Jason

On Apr 10, 2012, at 5:56 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Threat implies probability - so threat is the •probability or
> likelihood• that a weakness will be successfully exploited.
> 
> --
> Jim Manico
> VP, Security Architecture
> WhiteHat Security
> (808) 652-3805
> 
> On Apr 10, 2012, at 4:15 PM, Brian Luteran
> <Brian.Luteran at synchronoss.com> wrote:
> 
>> Think of a vulnerability like an open door and a threat to that open door is a thief going through it to steal something.
>> 
>> ~Brian
>> -----Original Message-----
>> From: security101-bounces at lists.owasp.org [mailto:security101-bounces at lists.owasp.org] On Behalf Of Zaki Akhmad
>> Sent: Tuesday, April 10, 2012 2:31 AM
>> To: OWASP Security 101
>> Subject: [OWASP-Security101] Vulnerability vs Threat
>> 
>> Hi lists,
>> 
>> Are there any idea, how to easily explain the difference between
>> vulnerability and threat? Using example or analogy?
>> 
>> Sometime I still found quite difficult to distinguish between these two terms.
>> 
>> Regards,
>> 
>> --
>> Zaki Akhmad
>> _______________________________________________
>> Security101 mailing list
>> Security101 at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/security101
>> List Run By OWASP
>> List Admin: Michael.Coates at owasp.org
>> _______________________________________________
>> Security101 mailing list
>> Security101 at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/security101
>> List Run By OWASP
>> List Admin: Michael.Coates at owasp.org
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org


More information about the Security101 mailing list