This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

CRV2 RiskBasedApproach

From OWASP
Revision as of 09:55, 17 February 2014 by Gary David Robinson (talk | contribs) (Created page with "Development notes: * Doing things right or doing the right things... * Not all bugs are equal * long term or short term risk * Accept, Transfer, Avoid or Reduce * integr...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Development notes: 

* Doing things right or doing the right things...
* Not all bugs are equal
* long term or short term risk
* Accept, Transfer, Avoid or Reduce
* integrate into repeatable CCPM
* mgmt will ultimately own the risk
* CIA of risk
* management of resources (machines, time, skills)
* what is high risk? Ease of exposure?  Value of loss?
* analogy to car development/maintenance risk.  Subjective or regimented risk, regulartory controls are higher risk
* test everything or just high risk?
* risk analysis involves cost/benifits analysis
* sizing review would allow mgmt to know what resources are needed
* redundancy and physical failure
* high risk issues/features are candidate for automated testing/review checks
* a lot of static analysis tools allow for modules/tests to be plugged in.  High risk could be candiate to be mitigated in this way.
* diff codelines for more sensitive code
* quantitive vs qualative risk
* risk could determine who reviews/how many people/# of signoffs etc
* risk is chance of something bad happening and damage if it occurs
Retrieved from "https://wiki.owasp.org/index.php?title=CRV2_RiskBasedApproach&oldid=168245"