This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:OWASP Risk Rating Methodology

From OWASP
Revision as of 15:10, 7 August 2018 by Jameswartell (talk | contribs) (Threat agent factors)

Jump to: navigation, search

Stop Edit War - Threat Agent Factors Discussion

The threat agent factors are clearly being misunderstood. This is not the level of skill needed to attack the application. It is the expected level of skill of people you suspect would try to attack your application. Obviously the more skilled the attacker, the higher your risk. You can tell this is the case when it says "Use the worst-case threat agent." Clearly someone with "network and programming skills" is a worse case threat agent than someone with "no technical skills", so do not revert my edit to say the opposite without discussion here. The last 5 edits have been people reverting each other without discussion. If you disagree, make your case here and we'll hash it out. Jameswartell (talk) 10:10, 7 August 2018 (CDT)


Just editing now... Vanderaj 12:04, 22 December 2006 (EST)

What about compensating controls?

I think it is worthwhile to factor in compensating controls into likelihood and impact. For example, if the organization implements an XML firewall, it can reduce like likelihood some data-based attacks. Alternatively, if they backup their data every hour, the impact is then reduced.