This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Risk Rating Methodology"

From OWASP
Jump to: navigation, search
(Quantitative Risk Calculation Example)
Line 1: Line 1:
[[http://www.owasp.org/index.php/Writing_Reports:_value_the_real_risk_AoC Up]]<br>
+
[[http://www.owasp.org/index.php/Writing_Reports:_value_the_real_risk_AoC Up]]
 +
 
 
{{Template:OWASP Testing Guide v2}}
 
{{Template:OWASP Testing Guide v2}}
  
==Application Security Risk Analysis==  
+
 
===Background===
+
==Overview==  
Application security risk analysis consists of the assessment of the levels of risk calculated for threats and vulnerabilities. Risk assessment practitioners usually refer to application security risk analysis as technical risk assessment. In the technical risk assessment, threat and vulnerability represent the two factors (i.e. multipliers) used for risk calculation. Depending on the empirical risk formulation chosen, different parameters can be used to characterize threats and vulnerabilities and calculate the final risk value. By associating risk values to each of the findings it is possible to prioritize vulnerabilities and fix first the ones with higher risks that is by threats with highest impact, ease of exploitation and exposure. On the other hand, information risk analysts also look to other risk factors while deciding the strategy for mitigating application security risks such the evaluation of business impacts derived by the exploitation of the vulnerability. Technical risks and business impact analysis are both evaluated as part of the information risk management strategy that includes selection and adoption of countermeasures justified by the identified risks to assets and the reduction of those risks to acceptable levels. For the purpose of this guide we limit the scope of risk evaluation to technical impact analysis that is the evaluation of risk for found vulnerabilities and identified threats.<BR>
+
 
 +
Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Of course, a vulnerability that is critical to one organization may not be very important to another. But having a standard way of rating vulnerabilities within an organization is extremely important. A risk rating standard allows security issues to be prioritized, so that an organization can make informed decisions about where to focus security investments.
 +
 
 +
 
 +
==Approach==
 +
 
 +
There are many different approaches to risk analysis. Here are some of the common methodologies.
 +
 
 +
* NIST 800-30
 +
* OCTAVE
 +
* ...
 +
 
 +
The OWASP approach is based on these standard methodologies and is customized for application security. This approach builds on the standard risk model:
 +
 +
 
 +
      Risk = Likelihood * Impact
 +
 
 +
 
 +
In the sections below, we break down the factors that make up "likelihood" and "impact". Organizations can customize and weight these factors to create their own standard for rating risks.  
 +
 
 +
 
 +
==Step 1: Preparation==
 +
 
 +
 
 +
 
 +
==Step 2: Estimating Likelihood==
 +
 
 +
Likelihood factors generally break down into information about the threat agent, and information about the vulnerability:
 +
 
 +
-        Threat agent
 +
 
 +
o      Skill level required
 +
 
 +
o      Threat agent motivation (attractiveness of target)
 +
 
 +
o      Threat agent access level
 +
 
 +
o      Threat agent size
 +
 
 +
o      …
 +
 
 +
 +
 
 +
-        Vulnerability
 +
 
 +
o      Ease of discovery
 +
 
 +
o      Awareness
 +
 
 +
o      Tools available
 +
 
 +
o      Mitigating controls in place
 +
 
 +
o      Accountability (not logged, logged w/o review, logged and reviewed)
 +
 
 +
o      …
 +
 
 +
 +
==Step 3: Estimating Impact==
 +
 
 +
Impact is generally calculated based on annualized loss expectancy (ALE). Businesses should create a standard for what dollar amounts are significant to their business and establish some levels for Impact. Understanding the assets and functions involved, and the importance of confidentiality, integrity, and availability to the business is critical to getting good estimates of the real business impact. Reputation damage is frequently the driver here.
 +
 
 +
 +
 
 +
Since none of these factors are very easy to measure, it's best to have enumerated lists (like accountability above) for each factor that make sense for the particular business.
 +
 
 +
 +
 
 +
The real tailoring comes from weighting these factors according to your business. Having a risk ranking framework that's customizable for a business is critical for adoption.  Otherwise, you'll spend lots of time arguing about the risk ratings that are produced.
 +
 
 +
 +
 
 +
Based on the factors and weights, you calculate whether the likelihood is L, M, or H and whether the impact is L, M, or H. Then you can calculate the overall risk with a 9-box.
 +
 
 +
 +
 
 +
                                                            OVERALL SEVERITY
 +
 
 +
 +
 
 +
HIGH LIKELIHOOD
 +
Medium
 +
High
 +
Critical
 +
 +
MEDIUM LIKELIHOOD
 +
Low
 +
Medium
 +
High
 +
 +
LOW LIKELIHOOD
 +
Note
 +
Low
 +
Medium
 +
 +
 +
LOW IMPACT
 +
MEDIUM IMPACT
 +
HIGH IMPACT
 +
 +
 
 +
 +
 
 +
 +
 
 +
If the list is okay with this approach, I will write it up in time for the release.  I can imagine a simple tool that queries you for information like what are your different user groups, etc.. then the tool allows you to weight the factors, then it produces a custom risk rating tool for your organization's application security findings.  Built into report generator this would be very cool.  
 +
 
 +
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
  
 
===Definitions===
 
===Definitions===
For the scope of the risk assessments of this guide the definitions for risk, threat and vulnerability are taken from the the Risk Management Guide for Information Technology Systems of NIST[http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf]
+
For the scope of the risk assessments of this guide the definitions for risk, threat and vulnerability are taken from the the Risk Management Guide for Information Technology Systems of  
 +
 
 
* '''Risk''' is the probability that a particular threat will exercise a particular information system vulnerability and the resulting impact if this should occur.  
 
* '''Risk''' is the probability that a particular threat will exercise a particular information system vulnerability and the resulting impact if this should occur.  
 
* '''Threat''' is the potential to exercise (accidentally trigger or intentionally exploit) a specific vulnerability
 
* '''Threat''' is the potential to exercise (accidentally trigger or intentionally exploit) a specific vulnerability
 
* '''Vulnerability''' is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.
 
* '''Vulnerability''' is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.
  
==Risks Formulation==
 
 
For the purposes of a security assessment, OWASP defines the risk associated with a security finding as a product of the Impact ('''Imp'''), Ease of Exploitation ('''EoE''') and Exposure ('''Exp'''):<BR>
 
<BR>
 
'''Risk = Imp x EoE x Exp<BR><BR>
 
By breaking down the security findings in this way a threats criticality and the implication of the vulnerability exposure may be better evaluated and risks can be prioritized and managed. The risk evaluation is taken out of the context of the nature of the application or host (e.g. server, firewall or workstation), and regardless of the type of data stored on it.<BR>
 
The impact and the easiness of exploitation of a threat are usually considered the main factors in determining the criticality of threats. In this case, impact is taken as a measure of the implication of a discrete component being compromised (e.g. attack potency).
 
The ease of exploitation for a threat can be further described as a factor of discoverability and reproducibility of a threat.
 
Exposure quantifies the likelihood that the vulnerability can be compromised through its availability. For example, an easily exploited vulnerability on an Internet facing host would be highly exposed, and therefore very likely to be compromised. An internal host with a vulnerability that was difficult to exploit would present a much lower threat.<BR>
 
 
==Threat Categorizations==
 
For the purpose of the OWASP testing guide, threats can be identified for each of the testing category using threat categorization frameworks(e.g. STRIDE, TRIKE, Web Application Security Frame[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/TMWA.asp] etc). OWASP does not endorse any specific threat categorization, but rather recommends the adoption of a threat categorization depending on the specific objectives of the security assessment. A critical review of threat categorization frameworks can be found in the Security In The Software Lifecycle from DHS [https://buildsecurityin.us-cert.gov/daisy/bsi/87/version/12/part/4/data/Draft+Security+in+the+Software+Lifcycle+v1.2.pdf?branch=main&language=default]In general, categorizations that focus on threats rather than attacks are more suitable for the identification of countermeasures.
 
Example of specific objectives for the risk evaluation are:
 
 
*Regulatory and requirements compliance
 
*Regulatory and requirements compliance
 
*Tactical prioritization for mitigation of vulnerabilities (e.g. high risk first)
 
*Tactical prioritization for mitigation of vulnerabilities (e.g. high risk first)
 
*Risk strategy selection
 
*Risk strategy selection
  
==Risk Ranking Systems==  
+
==References==
Before any kind of calculation can be done appropriate values for the impact, ease of exploitation and exposure have to be found. Every risk parameter can be assigned a qualitative value based on its importance (e.g. severity). Using qualitative values rather than quantitative ones can help avoid the ranking becoming overly subjective. The same argument holds true for the number of different qualitative values, hence, only three different values (high, medium, low) are used.
+
 
 +
* NIST 800-30 Risk Management Guide for
 +
Information Technology Systems [http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf]
  
However while determining qualitative values for risk several risk ranking systems can be used:
 
* Proprietary common vulnerability list risk ranking
 
 
* Industry standard vulnerability severity and risk rankings (CVSS[http://www.first.org/cvss/])
 
* Industry standard vulnerability severity and risk rankings (CVSS[http://www.first.org/cvss/])
 +
 
* Security-enhancing process models vulnerability root cause categorization (CLASP [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project])
 
* Security-enhancing process models vulnerability root cause categorization (CLASP [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project])
* Threat modeling risk rankings (DREAD[http://www.owasp.org/index.php/Threat_Risk_Modeling], TRIKE[http://dymaxion.org/trike/Trike_v1_Methodology_Document-draft.pdf], PTA [http://www.ptatechnologies.com/], CORAS[http://www2.nr.no/coras/], SECURIS[http://heim.ifi.uio.no/~ketils/securis/the-securis-technical-description.htm], T-MAP[http://sunset.usc.edu/events/2006/CSSE_Convocation/publications/ChenValueBasedSecurityThreatModel.pdf])
 
  
==Risks Calculation Models=
+
* Microsoft Web Application Security Frame [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/TMWA.asp]
 +
 
 +
* Security In The Software Lifecycle from DHS [https://buildsecurityin.us-cert.gov/daisy/bsi/87/version/12/part/4/data/Draft+Security+in+the+Software+Lifcycle+v1.2.pdf?branch=main&language=default]
  
 +
Threat modeling tools
  
===Qualitative Risk Calculation Example (TBD)===
+
* DREAD [http://www.owasp.org/index.php/Threat_Risk_Modeling]
 +
* TRIKE [http://dymaxion.org/trike/Trike_v1_Methodology_Document-draft.pdf]
 +
* PTA [http://www.ptatechnologies.com/]
 +
* CORAS [http://www2.nr.no/coras/]
 +
* SECURIS [http://heim.ifi.uio.no/~ketils/securis/the-securis-technical-description.htm]
 +
* T-MAP [http://sunset.usc.edu/events/2006/CSSE_Convocation/publications/ChenValueBasedSecurityThreatModel.pdf]
  
Risk Parameters:
 
Impact (Imp)
 
* Critical
 
* High
 
* Medium
 
* Low
 
Ease of Exploitation (EoE)
 
* Easy
 
* Moderate
 
* Difficult
 
Exposure (Exp)
 
* Very high
 
* High
 
* Medium
 
* Low
 
  
 
{{Category:OWASP Testing Project AoC}
 
{{Category:OWASP Testing Project AoC}

Revision as of 11:02, 22 December 2006

[Up]

OWASP Testing Guide v2 Table of Contents


Overview

Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Of course, a vulnerability that is critical to one organization may not be very important to another. But having a standard way of rating vulnerabilities within an organization is extremely important. A risk rating standard allows security issues to be prioritized, so that an organization can make informed decisions about where to focus security investments.


Approach

There are many different approaches to risk analysis. Here are some of the common methodologies.

  • NIST 800-30
  • OCTAVE
  • ...

The OWASP approach is based on these standard methodologies and is customized for application security. This approach builds on the standard risk model: 


      Risk = Likelihood * Impact


In the sections below, we break down the factors that make up "likelihood" and "impact". Organizations can customize and weight these factors to create their own standard for rating risks.


Step 1: Preparation

Step 2: Estimating Likelihood

Likelihood factors generally break down into information about the threat agent, and information about the vulnerability:

- Threat agent

o Skill level required

o Threat agent motivation (attractiveness of target)

o Threat agent access level

o Threat agent size

o …


- Vulnerability

o Ease of discovery

o Awareness

o Tools available

o Mitigating controls in place

o Accountability (not logged, logged w/o review, logged and reviewed)

o …


Step 3: Estimating Impact

Impact is generally calculated based on annualized loss expectancy (ALE). Businesses should create a standard for what dollar amounts are significant to their business and establish some levels for Impact. Understanding the assets and functions involved, and the importance of confidentiality, integrity, and availability to the business is critical to getting good estimates of the real business impact. Reputation damage is frequently the driver here.


Since none of these factors are very easy to measure, it's best to have enumerated lists (like accountability above) for each factor that make sense for the particular business.


The real tailoring comes from weighting these factors according to your business. Having a risk ranking framework that's customizable for a business is critical for adoption. Otherwise, you'll spend lots of time arguing about the risk ratings that are produced.


Based on the factors and weights, you calculate whether the likelihood is L, M, or H and whether the impact is L, M, or H. Then you can calculate the overall risk with a 9-box. 


                                                           OVERALL SEVERITY


HIGH LIKELIHOOD 

Medium
High
Critical

MEDIUM LIKELIHOOD 

Low
Medium
High

LOW LIKELIHOOD 

Note
Low
Medium


LOW IMPACT
MEDIUM IMPACT
HIGH IMPACT



If the list is okay with this approach, I will write it up in time for the release. I can imagine a simple tool that queries you for information like what are your different user groups, etc.. then the tool allows you to weight the factors, then it produces a custom risk rating tool for your organization's application security findings. Built into report generator this would be very cool.








Definitions

For the scope of the risk assessments of this guide the definitions for risk, threat and vulnerability are taken from the the Risk Management Guide for Information Technology Systems of

  • Risk is the probability that a particular threat will exercise a particular information system vulnerability and the resulting impact if this should occur.
  • Threat is the potential to exercise (accidentally trigger or intentionally exploit) a specific vulnerability
  • Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.
  • Regulatory and requirements compliance
  • Tactical prioritization for mitigation of vulnerabilities (e.g. high risk first)
  • Risk strategy selection

References

  • NIST 800-30 Risk Management Guide for

Information Technology Systems [1]

  • Industry standard vulnerability severity and risk rankings (CVSS[2])
  • Security-enhancing process models vulnerability root cause categorization (CLASP [3])
  • Microsoft Web Application Security Frame [4]
  • Security In The Software Lifecycle from DHS [5]

Threat modeling tools


{{Category:OWASP Testing Project AoC}

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Risk_Rating_Methodology&oldid=14552"