This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Risk Rating Methodology

From OWASP
Revision as of 03:38, 20 November 2006 by Mmorana (talk | contribs) (Example: B (TBD))

Jump to: navigation, search

[Up]
OWASP Testing Guide v2 Table of Contents

Application Security Risk Analysis

Background

Application security risk analysis consists in the assessment of the levels of risk calculated for threats and vulnerabilities. Risk assessment practitioners usually refer to application security risk analysis as technical risk assessment. In the technical risk assessment, threat and vulnerability represent the two factors (i.e. multipliers) used for risk calculation. Depending on the empirical risk formulation choosen, different parameters can be used to characterize threats and vulnerabilities and calculate the final risk value. By associating risk values to each of the findings it is possible to prioritize vulnerabilities anf fix first the ones with higher risks that is by threats with highest impact, ease of exploitation and exposure. On the other hand, information risk analysts also look to other risk factors while deciding the strategy for mitigating application security risks such the evaluation of business impacts derived by the exploitation of the vulnerability. Technical risks and business impact analysis are both evaluated as part of the information risk management strategy that includes selection and adoption of countermeasures justified by the identified risks to assets and the reduction of those risks to acceptable levels. For the purpose of this guide we limit the scope of risk evaluation to technical impact analysis that is the evaluation of risk for found vulnerabilities and identified threats.

Definitions

For the scope of the risk assessments of this guide the definitions for risk, threat and vulnerability are taken from the the Risk Management Guide for Information Technology Systems of NIST[1]

  • Risk is the probability that a particular threat will exercise a particular information system vulnerability and the resulting impact if this should occur.
  • Threat is the potential to exercise (accidentally trigger or intentionally exploit) a specific vulnerability
  • Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentially triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.

Risks Formulation

For the purposes of a security assessment, OWASP defines the risk associated with a security finding as a product of the Impact (Imp), Ease of Exploitation (EoE) and Exposure (Exp):

Risk = Imp x EoE x Exp

 By breaking down the security findings in this way, threats criticality and the implication of the vulnerability exposure may be better evaluated and risks can be prioritized and managed. The risk evaluation is taken out of the context of the nature of the application or host (e.g. server, firewall or workstation), and regardless of the type of data stored on it.
The impact and the easiness of exploitation of a threat are usuallyconsidered the main factors in determining the criticality of threats. In this case, impact is taken as a measure of the implication of a discrete component being compromised (e.g. attack potency). The ease of exploitation for a threat can be further described as a factor of discoverability and reproducibility of a threat. Exposure quantifies the likelihood that the vulnerability can be compromised through its availability. For example, an easily exploited vulnerability on an internet facing host would be highly exposed, and therefore very likely to be compromised. An internal host with a vulnerability that was difficult to exploit would present a much lower threat.

Threat Categorizations

For the purpose of the OWASP testing guide, threats can be identified for each of the testing category using threat categorization frameworks(e.g. STRIDE, TRIKE, SecurityFrame etc). OWASP does not endorse any specific threat categorization, but rather recommends the adoption of a threat categorization depending on the specific objectives of the security assessment. A critical review of threat categorization frameworks can be found in the Security In The Software Lifecycle from DHS [2]In general, categorizations that focus on threats rather than attacks are more suitable for the identification of countermeasures. Example of specific objectives for the risk evaluation are:

  • Regulatory and requirements compliance
  • Tactical prioritization for mitigation of vulnerabilities (e.g. high risk first)
  • Overall risk strategy selection

Risk Ranking Systems

Before any kind of calculation can be done appropriate values for the impact, ease of exploitation and exposure have to be found. Every risk parameter can be assigned a qualitative value based on its importance (e.g. severity). Using qualitative values rather than quantitative ones can help avoid the ranking becoming overly subjective. The same argument holds true for the number of different qualitative values, hence, only three different values (high, medium, low) are used.

However while determining qualitative values for risk several risk ranking systems can be used:

  • Proprietary common vulnerability list risk ranking
  • Industry standard vulnerability severity and risk rankings (CVSS[3])
  • Security-enhancing process models vulnerability root cause categorization (CLASP [4])
  • Threat modeling risk rankings (DREAD[5], TRIKE[6], PTA [7], CORAS[8], SECURIS[9], T-MAP[10])

Risks Calculation Models (TBD)

Example: A (TBD)

Risk Categories: Impact (imp)

  • critical
  • high
  • medium
  • low

Ease of Exploitation (EoE)

  • Easy
  • Moderate
  • Difficult

Exposure (Exp)

  • Very high
  • High
  • Medium
  • Low

Example: B (TBD)

Threat Criticality Calculation As already mentioned above, the criticality of threats is determined by the impact and the easy of exploitation. The impact mainly depends on the damage potential and the number of components that are affected by a threat. The ease of exploitation is determined by the degree of discoverability and reproducibility. However, before any kind of calculation can be done appropriate values for the parameters have to be found. A generic questionnaire can provide some example questions that support the determination of these values. Based on the values assigned to the parameters, the two representative values for criticality and exploitation have to be determined. Hence, some kind of function has to be found, that should provides the following features for its result:

  • depend on all corresponding parameters
  • be some kind of average of the individual values
  • be more dependent on high input values

To provide these features the root mean square will be used. However, before any calculation can be carried out, numeric representations have to be found for the qualitative values. Since the combination of a High and a Low value should lead to a Medium value, the numeric values can be determined by applying the root mean square formula.

Impact value for a threat can be calculated with the following formula:
Imp = sqrt((DaP^2+AfC^2)/2)
where:

  • DaP = Damage Potential Value for Threat
  • AfC = Affected Components Value for Threat

Ease of Explotation for a threat can be calculated with the following formula:
EaE= sqrt((DiS^2+Rep^2)/2)
where:

  • Dis = Discoverability Value for Threat
  • Rep = Reproducibility Value for Threat

To finally determine the criticality value of a threat based on the two values of Impact and Ease of Exploitation, the root mean square has to be calculated: CrI = sqrt((Imp^2+EaE^2)/2)

'Vulnerability Exposure Calculation TBD
Risk Value Calculation TBD

OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Risk_Rating_Methodology&oldid=13389"