This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:OWASP Risk Rating Methodology"

From OWASP
Jump to: navigation, search
(elaborate threat agents)
(Adding discussion about threat agent factor -> skill level reasoning for previous changes.)
Line 4: Line 4:
 
: The level of skill needed to exploit the hack is a factor of the vulnerability, not the threat agents btw. I suspect the factor people are confusing this with is "ease of exploit". --[[User:Jameswartell|Jameswartell]] ([[User talk:Jameswartell|talk]]) 10:21, 7 August 2018 (CDT)
 
: The level of skill needed to exploit the hack is a factor of the vulnerability, not the threat agents btw. I suspect the factor people are confusing this with is "ease of exploit". --[[User:Jameswartell|Jameswartell]] ([[User talk:Jameswartell|talk]]) 10:21, 7 August 2018 (CDT)
  
 +
== Discussion - Threat Agent Factor - Skill Level ==
 +
Per step 4, do we agree that the numeric goal is 6-9 = highest likelihood, while 0 to < 3 is lowest likelihood for all likelihood factors?
 +
 +
1. If you look at the size likelihood factor, would you say that developers or anonymous internet users are the higher likelihood?
 +
Current values:
 +
Developers (2)
 +
anonymous Internet users (9)
 +
 +
2. If you look at the skill level likelihood factor:
 +
If a person with no technical skills can pull off a successful attack, isn't that the highest likelihood? Shouldn't people with some technical skills include people with no technical skills? Shouldn't advanced computer users include people with no technical skills?
 +
Current values:
 +
No technical skills (1)
 +
security penetration skills (9)
 +
 +
To restate: The goal is to give the highest number to the highest likelihood. If a person with no technical skills is likely to pull off the attack, wouldn't that include people with security penetration skills? Wouldn't that have the highest likelihood?
 +
 +
Example 1:
 +
A 1 click exploit only requiring a browser allows someone to get all valid credit card numbers. A baby who is not able to walk can run this exploit.
 +
Would we agree that threat agent values =
 +
Skill level = 9
 +
Motive = 9
 +
Opportunity = 9
 +
Size = 9
 +
(This would indicate highest risk.)
 +
Using your example, the "skill level" would be 1, not 9, lowering the risk.
 +
 +
Example 2:
 +
An exploit requiring writing custom code to create a distributed denial of service and timing attack is required to get the name of my favorite animal type from an encrypted file on my web server that is only up for 1 minute a year.
 +
 +
Would we agree that threat agent values =
 +
Skill level = 0-1
 +
Motive = 1
 +
Opportunity = 1
 +
Size = 1
 +
(This would indicate lowest risk.)
 +
 +
Using the current values, the skill level would be 9, not 1, increasing risk.
 +
 +
Summary: The goal is to give highest number (9) to highest likelihood. Doing  math for simple example cases indicate a flaw that caused this "edit war". [[User:kxp43|kxp43]] ([[User talk:kxp43|talk]) 15:43, 15 November 2018 (EDT)
  
 
Just editing now... [[User:Vanderaj|Vanderaj]] 12:04, 22 December 2006 (EST)
 
Just editing now... [[User:Vanderaj|Vanderaj]] 12:04, 22 December 2006 (EST)

Revision as of 20:58, 15 November 2018

Stop Edit War - Threat Agent Factors Discussion

The threat agent factors are clearly being misunderstood. This is not the level of skill needed to attack the application. It is the expected level of skill of people you suspect would try to attack your application. Obviously the more skilled the attacker, the higher your risk. You can tell this is the case when it says "Use the worst-case threat agent." Clearly someone with "network and programming skills" is a worse case threat agent than someone with "no technical skills", so do not revert my edit to say the opposite without discussion here. The last 5 edits have been people reverting each other without discussion. If you disagree, make your case here and we'll hash it out. Jameswartell --(talk) 10:10, 7 August 2018 (CDT)

The level of skill needed to exploit the hack is a factor of the vulnerability, not the threat agents btw. I suspect the factor people are confusing this with is "ease of exploit". --Jameswartell (talk) 10:21, 7 August 2018 (CDT)

Discussion - Threat Agent Factor - Skill Level

Per step 4, do we agree that the numeric goal is 6-9 = highest likelihood, while 0 to < 3 is lowest likelihood for all likelihood factors?

1. If you look at the size likelihood factor, would you say that developers or anonymous internet users are the higher likelihood? Current values: Developers (2) anonymous Internet users (9)

2. If you look at the skill level likelihood factor: If a person with no technical skills can pull off a successful attack, isn't that the highest likelihood? Shouldn't people with some technical skills include people with no technical skills? Shouldn't advanced computer users include people with no technical skills? Current values: No technical skills (1) security penetration skills (9)

To restate: The goal is to give the highest number to the highest likelihood. If a person with no technical skills is likely to pull off the attack, wouldn't that include people with security penetration skills? Wouldn't that have the highest likelihood?

Example 1: A 1 click exploit only requiring a browser allows someone to get all valid credit card numbers. A baby who is not able to walk can run this exploit. Would we agree that threat agent values = Skill level = 9 Motive = 9 Opportunity = 9 Size = 9 (This would indicate highest risk.) Using your example, the "skill level" would be 1, not 9, lowering the risk.

Example 2: An exploit requiring writing custom code to create a distributed denial of service and timing attack is required to get the name of my favorite animal type from an encrypted file on my web server that is only up for 1 minute a year.

Would we agree that threat agent values = Skill level = 0-1 Motive = 1 Opportunity = 1 Size = 1 (This would indicate lowest risk.)

Using the current values, the skill level would be 9, not 1, increasing risk.

Summary: The goal is to give highest number (9) to highest likelihood. Doing math for simple example cases indicate a flaw that caused this "edit war". kxp43 ([[User talk:kxp43|talk]) 15:43, 15 November 2018 (EDT)

Just editing now... Vanderaj 12:04, 22 December 2006 (EST)

What about compensating controls?

I think it is worthwhile to factor in compensating controls into likelihood and impact. For example, if the organization implements an XML firewall, it can reduce like likelihood some data-based attacks. Alternatively, if they backup their data every hour, the impact is then reduced.