OWASP Risk Rating Methodology

[Up]

Background
Application security risk analysis consists in the assessment of the levels of risk calculated for threats and vulnerabilities. Risk assessment practitioners usually refer to application security risk analysis as technical risk assessment. In the technical risk assessment, threat and vulnerability represent the two factors (i.e. multipliers) used for risk calculation. Depending on the empirical risk formulation chosen, different parameters can be used to characterize threats and vulnerabilities and calculate the final risk value. By associating risk values to each of the findings it is possible to prioritize vulnerabilities and fix first the ones with higher risks that is by threats with highest impact, ease of exploitation and exposure. On the other hand, information risk analysts also look to other risk factors while deciding the strategy for mitigating application security risks such the evaluation of business impacts derived by the exploitation of the vulnerability. Technical risks and business impact analysis are both evaluated as part of the information risk management strategy that includes selection and adoption of countermeasures justified by the identified risks to assets and the reduction of those risks to acceptable levels. For the purpose of this guide we limit the scope of risk evaluation to technical impact analysis that is the evaluation of risk for found vulnerabilities and identified threats.

Definitions
For the scope of the risk assessments of this guide the definitions for risk, threat and vulnerability are taken from the the Risk Management Guide for Information Technology Systems of NIST
 * Risk is the probability that a particular threat will exercise a particular information system vulnerability and the resulting impact if this should occur.
 * Threat is the potential to exercise (accidentally trigger or intentionally exploit) a specific vulnerability
 * Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.

Risks Formulation
For the purposes of a security assessment, OWASP defines the risk associated with a security finding as a product of the Impact (Imp), Ease of Exploitation (EoE) and Exposure (Exp):  '''Risk = Imp x EoE x Exp By breaking down the security findings in this way, threats criticality and the implication of the vulnerability exposure may be better evaluated and risks can be prioritized and managed. The risk evaluation is taken out of the context of the nature of the application or host (e.g. server, firewall or workstation), and regardless of the type of data stored on it. The impact and the easiness of exploitation of a threat are usually considered the main factors in determining the criticality of threats. In this case, impact is taken as a measure of the implication of a discrete component being compromised (e.g. attack potency). The ease of exploitation for a threat can be further described as a factor of discoverability and reproducibility of a threat. Exposure quantifies the likelihood that the vulnerability can be compromised through its availability. For example, an easily exploited vulnerability on an Internet facing host would be highly exposed, and therefore very likely to be compromised. An internal host with a vulnerability that was difficult to exploit would present a much lower threat.

Threat Categorizations
For the purpose of the OWASP testing guide, threats can be identified for each of the testing category using threat categorization frameworks(e.g. STRIDE, TRIKE, Web Application Security Frame etc). OWASP does not endorse any specific threat categorization, but rather recommends the adoption of a threat categorization depending on the specific objectives of the security assessment. A critical review of threat categorization frameworks can be found in the Security In The Software Lifecycle from DHS In general, categorizations that focus on threats rather than attacks are more suitable for the identification of countermeasures. Example of specific objectives for the risk evaluation are:
 * Regulatory and requirements compliance
 * Tactical prioritization for mitigation of vulnerabilities (e.g. high risk first)
 * Risk strategy selection

Risk Ranking Systems
Before any kind of calculation can be done appropriate values for the impact, ease of exploitation and exposure have to be found. Every risk parameter can be assigned a qualitative value based on its importance (e.g. severity). Using qualitative values rather than quantitative ones can help avoid the ranking becoming overly subjective. The same argument holds true for the number of different qualitative values, hence, only three different values (high, medium, low) are used.

However while determining qualitative values for risk several risk ranking systems can be used:
 * Proprietary common vulnerability list risk ranking
 * Industry standard vulnerability severity and risk rankings (CVSS)
 * Security-enhancing process models vulnerability root cause categorization (CLASP )
 * Threat modeling risk rankings (DREAD, TRIKE, PTA, CORAS, SECURIS, T-MAP)

Quantitative Risk Calculation Example
Threat Criticality Calculation As already mentioned above, the criticality of threats is determined by the Impact (Imp) and the Ease of exploitation (EoE) risk factors. The impact mainly depends on the Damage Potential (DaP) and the number of components (NoC) that are affected by a threat. The Ease of Exploitation (EoE)is determined by the Degree of Discoverability (Dis) and Reproducibility (Rep).

However, before any kind of calculation can be done, appropriate values for these parameters have to be found. A generic questionnaire can provide some example questions that support the determination of these qualitative values based upon each threat categorization. For the scope of this risk model, the SecurityFrame Threat categorization will be used.

Based on the values assigned to the risk parameters of DaP, NoC, Dis and Rep the two representative values for Criticality (Cri) of the Threat and Ease of Exploitation (EoE) have to be determined.

Hence, some kind of function has to be found, that should provide the following features for its result:
 * depend on all corresponding parameters
 * be some kind of average of the individual values
 * be more dependent on high input values

To provide these features the root mean square formula will be used. However, before any calculation can be carried out, numeric representations have to be found for the qualitative values. Since the combination of a High and a Low value should lead to a Medium value, the numeric values can be determined by applying the root mean square formula:

M = sqrt(H^2+L^2)

Hence, if the Low and High value have been defined, it is possible to calculate the corresponding Medium value. Throughout this model the numeric values for High and Low will be 10 and 1 respectively, which leads to a rounded value of 7 for Medium. Using the corresponding numeric values for each of the qualitative risk parameters, the values for impact and ease of exploitation can be calculated by using the following formulas:

Impact Value for a Threat: Imp = sqrt((DaP^2+NoC^2)/2) where:
 * DaP = Damage Potential Value for Threat
 * NoC = Number of Affected Components Value for Threat

Ease of Explotation for a Threat: EaE= sqrt((DiS^2+Rep^2)/2) where:
 * Dis = Discoverability Value for Threat
 * Rep = Reproducibility Value for Threat

The two calculated values can be finally combined to determine the criticality value of a threat as: Cri = sqrt((Imp^2+EaE^2)/2)

For example, based upon the questionnaire, a data validation threat is rated with the following qualitative values:
 * DaP = Low (1)
 * NoC = Medium (7)
 * Dis = High (10)
 * Rep = Medium (7)

Based upon these values, the following factors can be calculated:
 * Imp: sqrt((1+7^2)/2)=5
 * EoE: sqrt((10^2+7^2)/2)= 8.63

Finally the Criticality for the Threat is:
 * Cri: sqrt((5^2+ 8.63^2)/2)= 7.05

Vulnerability Exposure Calculation The vulnerability exposure (Exp) is the measure of susceptibility to a particular threat. The vulnerability exposure of an asset can be measured on the 1 to 10 scale, where 1 indicates that the particular asset is not exposed to the vulnerability and 10 indicates that the asset is extremely open to the particular issue. For degree to which an asset is exposed to the vulnerability can be factored as a degree of mitigation of the vulnerability due to countermeasures. A vulnerability with no countermeasures fully exposes the asset to the attack. For the purpose of vulnerability exposure three different qualitative values should be used; full, partial and none. For every threat it must be determined if a countermeasure has been found or not. If a countermeasure was found for a threat that exactly addresses the vulnerability that enables the threat, this threat can be regarded as fully mitigated (10 value). However, if a countermeasure has been found for a threat, but it does not provide this degree of protection the mitigation is only partial (7 value). Naturally, if no countermeasure was found, there is no mitigation (1 value).

For example a buffer overflow vulnerability is found in a web application that is categorized as data validation threat according to the SecurityFrame. Since only client side validation is implemented instead of both client and server side input validation, the server is partially exposed to data validation threats. Therefore Exp = 7 is assigned (partial exposure)

Risk Value Calculation After the criticality (Cri) and the vulnerability exposure (Exp) values have been determined a final risk value can be computed. Since both criticality and exposure are defined by a quantitative value the risk value is again calculated by using the root mean square: Risk = sqrt((Cri^2+Exp^2)/2) Using the values in the example: Risk: sqrt((7^2+7.05^2))=7 (Medium Risk)
 * Cri=7.07
 * Exp=7

In general not all values fall nicely as 1 (Low,) 7 (Medium) or 10 (High), therefore a method should be available to associate qualitative values to generic numbers. This can be done by assigning qualitative values to the numeric criticality. In this case appropriate intervals have to be defined based upon the following:
 * the combination of a Medium and Low value must lead to a Low value
 * the combination of a High and a Medium value must lead to a High value

Using these two conditions the boundaries can be determined by using the root mean square again.
 * Boundary between Low (L) and Medium (M): B1 > sqrt(M^2+L^2)/2)
 * Boundary between Medium (M) and High (H): B2 < sqrt(M^2+H^2)/2)

Therefore the interval is L ≤ B1 < M < B2 ≤ H, or in numeric values L ≤ 5 < M < 8 ≤ H. For example a Risk value between 1 and 5 is considered low, between 5 and 8 is considered medium and between 8 and 10 is considered High.

Qualitative Risk Calculation Example (TBD)
Risk Parameters: Impact (Imp) Ease of Exploitation (EoE) Exposure (Exp) {{Category:OWASP Testing Project AoC}
 * Critical
 * High
 * Medium
 * Low
 * Easy
 * Moderate
 * Difficult
 * Very high
 * High
 * Medium
 * Low