Talk:OWASP Risk Rating Methodology

From OWASP
Jump to: navigation, search

Stop Edit War - Threat Agent Factors Discussion

The threat agent factors are clearly being misunderstood. This is not the level of skill needed to attack the application. It is the expected level of skill of people you suspect would try to attack your application. Obviously the more skilled the attacker, the higher your risk. You can tell this is the case when it says "Use the worst-case threat agent." Clearly someone with "network and programming skills" is a worse case threat agent than someone with "no technical skills", so do not revert my edit to say the opposite without discussion here. The last 5 edits have been people reverting each other without discussion. If you disagree, make your case here and we'll hash it out. Jameswartell --(talk) 10:10, 7 August 2018 (CDT)

The level of skill needed to exploit the hack is a factor of the vulnerability, not the threat agents btw. I suspect the factor people are confusing this with is "ease of exploit". --Jameswartell (talk) 10:21, 7 August 2018 (CDT)

Discussion - Threat Agent Factor - Skill Level

Per step 4, do we agree that the numeric goal is 6-9 = highest likelihood, while 0 to < 3 is lowest likelihood for all likelihood factors?

1. If you look at the size likelihood factor, would you say that developers or anonymous internet users are the higher likelihood? Current values: Developers (2) anonymous Internet users (9)

2. If you look at the skill level likelihood factor: If a person with no technical skills can pull off a successful attack, isn't that the highest likelihood? Shouldn't people with some technical skills include people with no technical skills? Shouldn't advanced computer users include people with no technical skills? Current values: No technical skills (1) security penetration skills (9)

To restate: The goal is to give the highest number to the highest likelihood. If a person with no technical skills is likely to pull off the attack, wouldn't that include people with security penetration skills? Wouldn't that have the highest likelihood?

Example 1: A 1 click exploit only requiring a browser allows someone to get all valid credit card numbers. A baby who is not able to walk can run this exploit. Would we agree that threat agent values = Skill level = 9 Motive = 9 Opportunity = 9 Size = 9 (This would indicate highest risk.) Using your example, the "skill level" would be 1, not 9, lowering the risk.

Example 2: An exploit requiring writing custom code to create a distributed denial of service and timing attack is required to get the name of my favorite animal type from an encrypted file on my web server that is only up for 1 minute a year.

Would we agree that threat agent values = Skill level = 0-1 Motive = 1 Opportunity = 1 Size = 1 (This would indicate lowest risk.)

Using the current values, the skill level would be 9, not 1, increasing risk.

Summary: The goal is to give highest number (9) to highest likelihood. Doing math for simple example cases indicate a flaw that caused this "edit war". kxp43 ([[User talk:kxp43|talk]) 15:43, 15 November 2018 (EDT)

Just editing now... Vanderaj 12:04, 22 December 2006 (EST)

What about compensating controls?

I think it is worthwhile to factor in compensating controls into likelihood and impact. For example, if the organization implements an XML firewall, it can reduce like likelihood some data-based attacks. Alternatively, if they backup their data every hour, the impact is then reduced.