[OWASP-Security101] Vulnerability vs Threat

Jim Manico jim.manico at owasp.org
Wed Apr 11 17:53:38 UTC 2012


Fair, Jason. But do you still put threat and threat agent in the same
bucket?

How about this:

Threat: possible attack
Threat agent: individual or group conducting attack
Risk: attack probability

Better?

--
Jim Manico
(808) 652-3805

On Apr 11, 2012, at 10:00 AM, Jason Li <jason.li at owasp.org> wrote:

Jim,

I think you're confusing the term "probability" and "possibility".

Saying an event is "possible" or "has potential" is not the same as
determining the probability or likelihood of the event.

See the PCI glossary on the term threat (
https://www.pcisecuritystandards.org/security_standards/glossary.php#T)

Threat: Condition or activity that has the potential to cause information
> or information processing resources to be intentionally or accidentally
> lost, modified, exposed, made inaccessible, or otherwise affected to the
> detriment of the organization.


The draft OWASP reference that Seba referred to earlier in this thread is
also a great document that provides a good explanation and background
information - kudos to the team working on that document! Can't wait to see
it incorporated into the OWASP wiki knowledge base!

-Jason

On Wed, Apr 11, 2012 at 8:10 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Threat as probability is defined by PCI and other standards (ie: "possible
> danger" in your description below).
>
> Jason, do you differentiate "threat" and "threat agent"? By your
> definition below you do not seem to.
>
> --
> Jim Manico
> (808) 652-3805
>
> On Apr 10, 2012, at 11:38 PM, Jason Li <jason.li at owasp.org> wrote:
>
> > I disagree here Jim on the term "threat".
> >
> > A threat is a possible danger to the system regardless of likelihood or
> probability.
> >
> > Think about the omnipresent terrorist "threat" or a phoned in bomb
> "threat". These are possibilities. Likewise, a flood or earthquake can
> "threaten" the availability of a server farm. Regardless of how likely any
> of these events are, they are still "threats".
> >
> > Brian's analogy is a good one - the threat agent is the thief and that
> threat exists whether you're in a high crime area or a low crime area.
> >
> > Likelihood enters the discussion when an organization does a risk
> analysis to determine what threats need to be addressed and/or prioritized.
> >
> > To me, a vulnerability is a specific weakness in a system (e.g. The open
> front door) and a threat is an actor (whether individual, group, or act of
> God) that can take advantage of a vulnerability.
> >
> > -Jason
> >
> > On Apr 10, 2012, at 5:56 PM, Jim Manico <jim.manico at owasp.org> wrote:
> >
> >> Threat implies probability - so threat is the •probability or
> >> likelihood• that a weakness will be successfully exploited.
> >>
> >> --
> >> Jim Manico
> >> VP, Security Architecture
> >> WhiteHat Security
> >> (808) 652-3805
> >>
> >> On Apr 10, 2012, at 4:15 PM, Brian Luteran
> >> <Brian.Luteran at synchronoss.com> wrote:
> >>
> >>> Think of a vulnerability like an open door and a threat to that open
> door is a thief going through it to steal something.
> >>>
> >>> ~Brian
> >>> -----Original Message-----
> >>> From: security101-bounces at lists.owasp.org [mailto:
> security101-bounces at lists.owasp.org] On Behalf Of Zaki Akhmad
> >>> Sent: Tuesday, April 10, 2012 2:31 AM
> >>> To: OWASP Security 101
> >>> Subject: [OWASP-Security101] Vulnerability vs Threat
> >>>
> >>> Hi lists,
> >>>
> >>> Are there any idea, how to easily explain the difference between
> >>> vulnerability and threat? Using example or analogy?
> >>>
> >>> Sometime I still found quite difficult to distinguish between these
> two terms.
> >>>
> >>> Regards,
> >>>
> >>> --
> >>> Zaki Akhmad
> >>> _______________________________________________
> >>> Security101 mailing list
> >>> Security101 at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/security101
> >>> List Run By OWASP
> >>> List Admin: Michael.Coates at owasp.org
> >>> _______________________________________________
> >>> Security101 mailing list
> >>> Security101 at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/security101
> >>> List Run By OWASP
> >>> List Admin: Michael.Coates at owasp.org
> >> _______________________________________________
> >> Security101 mailing list
> >> Security101 at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/security101
> >> List Run By OWASP
> >> List Admin: Michael.Coates at owasp.org
>


More information about the Security101 mailing list