http://blog.php-security.org/ en Serendipity 3.1.4159 - http://www.s9y.org/ http://blog.php-security.org/layout/default/img/s9y_banner_small.png http://blog.php-security.org/ 100 21 http://blog.php-security.org/archives/81-OWASP-Risk-Evaluation.html PHPSecurityStandards http://blog.php-security.org/archives/81-OWASP-Risk-Evaluation.html#comments http://blog.php-security.org/wfwcomment.php?cid=81 5 http://blog.php-security.org/rss.php?version=2.0&type=comments&cid=81 blog-admin@nopiracy.de (Stefan Esser) <br /> When you read the <a href="http://www.owasp.org/index.php/How_to_value_the_real_risk">OWASP risk evaluation standard</a> carefully you might get as confused as I got. They estimate the risk by first estimating the likelihood and then estimating the technical and business impact. The estimation is done by assigning the numbers 0..9 to a number of factors.<p><br />So far so good. Most of it makes perfect sense, but I was a little bit confused about the following factor:</p><dl><dt><b> Opportunity</b><br /> </dt><dd> What resources and opportunity are required for this group of<br /> attackers to find and exploit this vulnerability? No access or special<br /> resources (0), limited access and resources (4), special access or<br /> resources (7), full access or expensive resources (9)</dd></dl><p><br /> According to this factor the likelihood of an attack increases when more access to the application and more expensive resources are required on the attacker's side. I dare to doubt that <img src="http://blog.php-security.org/layout/default/img/emoticons/smile.png" alt=":-)" style="display: inline; vertical-align: bottom;" class="emoticon" /></p> Fri, 11 May 2007 14:00:00 +0000 http://blog.php-security.org/archives/81-guid.html