This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:OWASP Risk Rating Methodology"
Jameswartell (talk | contribs) (Threat agent factors) |
Jameswartell (talk | contribs) (elaborate threat agents) |
||
Line 1: | Line 1: | ||
== Stop Edit War - Threat Agent Factors Discussion == | == Stop Edit War - Threat Agent Factors Discussion == | ||
− | The threat agent factors are clearly being misunderstood. This is not the level of skill needed to attack the application. It is the expected level of skill of people you suspect would try to attack your application. Obviously the more skilled the attacker, the higher your risk. You can tell this is the case when it says "Use the worst-case threat agent." Clearly someone with "network and programming skills" is a worse case threat agent than someone with "no technical skills", so do not revert my edit to say the opposite without discussion here. The last 5 edits have been people reverting each other without discussion. If you disagree, make your case here and we'll hash it out. [[User:Jameswartell|Jameswartell]] ([[User talk:Jameswartell|talk]]) 10:10, 7 August 2018 (CDT) | + | The threat agent factors are clearly being misunderstood. This is not the level of skill needed to attack the application. It is the expected level of skill of people you suspect would try to attack your application. Obviously the more skilled the attacker, the higher your risk. You can tell this is the case when it says "Use the worst-case threat agent." Clearly someone with "network and programming skills" is a worse case threat agent than someone with "no technical skills", so do not revert my edit to say the opposite without discussion here. The last 5 edits have been people reverting each other without discussion. If you disagree, make your case here and we'll hash it out. [[User:Jameswartell|Jameswartell]] --([[User talk:Jameswartell|talk]]) 10:10, 7 August 2018 (CDT) |
+ | : The level of skill needed to exploit the hack is a factor of the vulnerability, not the threat agents btw. I suspect the factor people are confusing this with is "ease of exploit". --[[User:Jameswartell|Jameswartell]] ([[User talk:Jameswartell|talk]]) 10:21, 7 August 2018 (CDT) | ||
Revision as of 15:21, 7 August 2018
Stop Edit War - Threat Agent Factors Discussion
The threat agent factors are clearly being misunderstood. This is not the level of skill needed to attack the application. It is the expected level of skill of people you suspect would try to attack your application. Obviously the more skilled the attacker, the higher your risk. You can tell this is the case when it says "Use the worst-case threat agent." Clearly someone with "network and programming skills" is a worse case threat agent than someone with "no technical skills", so do not revert my edit to say the opposite without discussion here. The last 5 edits have been people reverting each other without discussion. If you disagree, make your case here and we'll hash it out. Jameswartell --(talk) 10:10, 7 August 2018 (CDT)
- The level of skill needed to exploit the hack is a factor of the vulnerability, not the threat agents btw. I suspect the factor people are confusing this with is "ease of exploit". --Jameswartell (talk) 10:21, 7 August 2018 (CDT)
Just editing now... Vanderaj 12:04, 22 December 2006 (EST)
What about compensating controls?
I think it is worthwhile to factor in compensating controls into likelihood and impact. For example, if the organization implements an XML firewall, it can reduce like likelihood some data-based attacks. Alternatively, if they backup their data every hour, the impact is then reduced.