This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:OWASP Risk Rating Methodology"

From OWASP
Jump to: navigation, search
(err clarifying that I responded to the wrong user mistakenly)
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
== Stop Edit War - Threat Agent Factors Discussion ==
 +
 +
The threat agent factors are clearly being misunderstood. This is not the level of skill needed to attack the application. It is the expected level of skill of people you suspect would try to attack your application. Obviously the more skilled the attacker, the higher your risk. You can tell this is the case when it says "Use the worst-case threat agent." Clearly someone with "network and programming skills" is a worse case threat agent than someone with "no technical skills", so do not revert my edit to say the opposite without discussion here. The last 5 edits have been people reverting each other without discussion. If you disagree, make your case here and we'll hash it out. [[User:Jameswartell|Jameswartell]] --([[User talk:Jameswartell|talk]]) 10:10, 7 August 2018 (CDT)
 +
: The level of skill needed to exploit the hack is a factor of the vulnerability, not the threat agents btw. I suspect the factor people are confusing this with is "ease of exploit". --[[User:Jameswartell|Jameswartell]] ([[User talk:Jameswartell|talk]]) 10:21, 7 August 2018 (CDT)
 +
 +
== Discussion - Threat Agent Factor - Skill Level ==
 +
Per step 4, do we agree that the numeric goal is 6-9 = highest likelihood, while 0 to < 3 is lowest likelihood for all likelihood factors?
 +
 +
1. If you look at the size likelihood factor, would you say that developers or anonymous internet users are the higher likelihood?
 +
Current values:
 +
Developers (2)
 +
anonymous Internet users (9)
 +
 +
2. If you look at the skill level likelihood factor:
 +
If a person with no technical skills can pull off a successful attack, isn't that the highest likelihood? Shouldn't people with some technical skills include people with no technical skills? Shouldn't advanced computer users include people with no technical skills?
 +
Current values:
 +
No technical skills (1)
 +
security penetration skills (9)
 +
 +
To restate: The goal is to give the highest number to the highest likelihood. If a person with no technical skills is likely to pull off the attack, wouldn't that include people with security penetration skills? Wouldn't that have the highest likelihood?
 +
 +
Example 1:
 +
A 1 click exploit only requiring a browser allows someone to get all valid credit card numbers. A baby who is not able to walk can run this exploit.
 +
Would we agree that threat agent values =
 +
Skill level = 9
 +
Motive = 9
 +
Opportunity = 9
 +
Size = 9
 +
(This would indicate highest risk.)
 +
Using your example, the "skill level" would be 1, not 9, lowering the risk.
 +
 +
Example 2:
 +
An exploit requiring writing custom code to create a distributed denial of service and timing attack is required to get the name of my favorite animal type from an encrypted file on my web server that is only up for 1 minute a year.
 +
 +
Would we agree that threat agent values =
 +
Skill level = 0-1
 +
Motive = 1
 +
Opportunity = 1
 +
Size = 1
 +
(This would indicate lowest risk.)
 +
 +
Using the current values, the skill level would be 9, not 1, increasing risk.
 +
 +
Summary: The goal is to give highest number (9) to highest likelihood. Doing  math for simple example cases indicate a flaw that caused this "edit war". [[User:kxp43|kxp43]] ([[User talk:kxp43|talk]) 15:43, 15 November 2018 (EDT)
 +
 +
:You are saying that if the vulnerability is exploitable by a script kiddy, that makes the risk higher. Which is I agree is true. The trouble is you are trying to do it with a factor that is supposed to be about the "threat agent" not the vulnerability. The threat agent is about the kind of attackers you expect to come after you. Do we agree the threat agent is the person attacking you?  For vulnerabilities exploitable by a script kiddy, it is your "ease of exploit" factor (that is a vulnerability factor) that goes to 9.
 +
 +
: At my company for instance some of our systems we expect to be targeted by nation-states (hackers with security penetration skills from countries like Iran, China, and South Korea). We have some entertainment software on the other hand that we don't think China or Iran or South Korea would take any interest in. Clearly that lowers the risk of the latter. By interpreting the factors my way we can account for that difference in the expected skill of the attacker; via your way of interpreting this, a vulnerability in either software that has a similar ease of exploit would seem to have the same risk.
 +
 +
:Consider I could have the exact same bug in both pieces of software (ease of exploit stays the same), but clearly the one being targeted by more skilled attackers is at greater risk. The vulnerability is the same, but the threat agent changes. If there are automated tools available (ease of exploit:9), attackers with no skill (skill level:0) are still dangerous. On the other hand for vulnerabilities that are theoretical (i.e. that even with inside knowledge I don't know how to exploit exactly - ease of exploit: 0) script kiddies (threat agent:0) are no problem, but nation-states might still be. Do you see how these are independent factors? Otherwise why have both of them?  [[User:Jameswartell|Jameswartell]] ([[User talk:Jameswartell|talk]]) 13:48, 27 June 2019 (CDT)
 +
 +
 
Just editing now... [[User:Vanderaj|Vanderaj]] 12:04, 22 December 2006 (EST)
 
Just editing now... [[User:Vanderaj|Vanderaj]] 12:04, 22 December 2006 (EST)
 +
 +
:Your links look very commercial to me. One is selling a book. The other is to a site of a consulting firm. "Just editing" doesn't justify them. [[User:Jameswartell|Jameswartell]] ([[User talk:Jameswartell|talk]]) 13:54, 27 June 2019 (CDT)
 +
:: whoops. I was looking at the recent edit done by Verspite, not you. [[User:Jameswartell|Jameswartell]] ([[User talk:Jameswartell|talk]]) 13:54, 27 June 2019 (CDT)
  
 
== What about compensating controls? ==
 
== What about compensating controls? ==
  
 
I think it is worthwhile to factor in compensating controls into likelihood and impact. For example, if the organization implements an XML firewall, it can reduce like likelihood some data-based attacks. Alternatively, if they backup their data every hour, the impact is then reduced.
 
I think it is worthwhile to factor in compensating controls into likelihood and impact. For example, if the organization implements an XML firewall, it can reduce like likelihood some data-based attacks. Alternatively, if they backup their data every hour, the impact is then reduced.

Latest revision as of 18:54, 27 June 2019

Stop Edit War - Threat Agent Factors Discussion

The threat agent factors are clearly being misunderstood. This is not the level of skill needed to attack the application. It is the expected level of skill of people you suspect would try to attack your application. Obviously the more skilled the attacker, the higher your risk. You can tell this is the case when it says "Use the worst-case threat agent." Clearly someone with "network and programming skills" is a worse case threat agent than someone with "no technical skills", so do not revert my edit to say the opposite without discussion here. The last 5 edits have been people reverting each other without discussion. If you disagree, make your case here and we'll hash it out. Jameswartell --(talk) 10:10, 7 August 2018 (CDT)

The level of skill needed to exploit the hack is a factor of the vulnerability, not the threat agents btw. I suspect the factor people are confusing this with is "ease of exploit". --Jameswartell (talk) 10:21, 7 August 2018 (CDT)

Discussion - Threat Agent Factor - Skill Level

Per step 4, do we agree that the numeric goal is 6-9 = highest likelihood, while 0 to < 3 is lowest likelihood for all likelihood factors?

1. If you look at the size likelihood factor, would you say that developers or anonymous internet users are the higher likelihood? Current values: Developers (2) anonymous Internet users (9)

2. If you look at the skill level likelihood factor: If a person with no technical skills can pull off a successful attack, isn't that the highest likelihood? Shouldn't people with some technical skills include people with no technical skills? Shouldn't advanced computer users include people with no technical skills? Current values: No technical skills (1) security penetration skills (9)

To restate: The goal is to give the highest number to the highest likelihood. If a person with no technical skills is likely to pull off the attack, wouldn't that include people with security penetration skills? Wouldn't that have the highest likelihood?

Example 1: A 1 click exploit only requiring a browser allows someone to get all valid credit card numbers. A baby who is not able to walk can run this exploit. Would we agree that threat agent values = Skill level = 9 Motive = 9 Opportunity = 9 Size = 9 (This would indicate highest risk.) Using your example, the "skill level" would be 1, not 9, lowering the risk.

Example 2: An exploit requiring writing custom code to create a distributed denial of service and timing attack is required to get the name of my favorite animal type from an encrypted file on my web server that is only up for 1 minute a year.

Would we agree that threat agent values = Skill level = 0-1 Motive = 1 Opportunity = 1 Size = 1 (This would indicate lowest risk.)

Using the current values, the skill level would be 9, not 1, increasing risk.

Summary: The goal is to give highest number (9) to highest likelihood. Doing math for simple example cases indicate a flaw that caused this "edit war". kxp43 ([[User talk:kxp43|talk]) 15:43, 15 November 2018 (EDT)

You are saying that if the vulnerability is exploitable by a script kiddy, that makes the risk higher. Which is I agree is true. The trouble is you are trying to do it with a factor that is supposed to be about the "threat agent" not the vulnerability. The threat agent is about the kind of attackers you expect to come after you. Do we agree the threat agent is the person attacking you? For vulnerabilities exploitable by a script kiddy, it is your "ease of exploit" factor (that is a vulnerability factor) that goes to 9.
At my company for instance some of our systems we expect to be targeted by nation-states (hackers with security penetration skills from countries like Iran, China, and South Korea). We have some entertainment software on the other hand that we don't think China or Iran or South Korea would take any interest in. Clearly that lowers the risk of the latter. By interpreting the factors my way we can account for that difference in the expected skill of the attacker; via your way of interpreting this, a vulnerability in either software that has a similar ease of exploit would seem to have the same risk.
Consider I could have the exact same bug in both pieces of software (ease of exploit stays the same), but clearly the one being targeted by more skilled attackers is at greater risk. The vulnerability is the same, but the threat agent changes. If there are automated tools available (ease of exploit:9), attackers with no skill (skill level:0) are still dangerous. On the other hand for vulnerabilities that are theoretical (i.e. that even with inside knowledge I don't know how to exploit exactly - ease of exploit: 0) script kiddies (threat agent:0) are no problem, but nation-states might still be. Do you see how these are independent factors? Otherwise why have both of them? Jameswartell (talk) 13:48, 27 June 2019 (CDT)


Just editing now... Vanderaj 12:04, 22 December 2006 (EST)

Your links look very commercial to me. One is selling a book. The other is to a site of a consulting firm. "Just editing" doesn't justify them. Jameswartell (talk) 13:54, 27 June 2019 (CDT)
whoops. I was looking at the recent edit done by Verspite, not you. Jameswartell (talk) 13:54, 27 June 2019 (CDT)

What about compensating controls?

I think it is worthwhile to factor in compensating controls into likelihood and impact. For example, if the organization implements an XML firewall, it can reduce like likelihood some data-based attacks. Alternatively, if they backup their data every hour, the impact is then reduced.