OWASP Risk Evaluation

Friday, May 11. 2007

When you read the OWASP risk evaluation standard carefully you might get as confused as I got. They estimate the risk by first estimating the likelihood and then estimating the technical and business impact. The estimation is done by assigning the numbers 0..9 to a number of factors.

So far so good. Most of it makes perfect sense, but I was a little bit confused about the following factor:

Opportunity: What resources and opportunity are required for this group of
attackers to find and exploit this vulnerability? No access or special
resources (0), limited access and resources (4), special access or
resources (7), full access or expensive resources (9)

According to this factor the likelihood of an attack increases when more access to the application and more expensive resources are required on the attacker's side. I dare to doubt that

Posted by Stefan Esser in Security, PHP, Standards at 14:00

Comments (5)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Magoo ()

Well, one example would be access to giant rainbow tables. The amount of storage required to hold rainbow tables can become significant depending on what type of cryptography was used, and minimum password requirements were in place (lets pretend password hashes were compromised)

I can see how that lack of resources would prevent cryptography from being immediately compromised, but I'm having trouble with other scenarios.

posted on Saturday, May 12. 2007

#1.1 Stefan Esser wrote (Link) ()

I believe the writeup simply has the numbers 0..9 in reverse for this factor.

It is simply not logical that the likelihood of an attack increases the harder it gets for the attacker.

Because the consequence would be: Do not protect your system and the likelihood goes down

posted on Sunday, May 13. 2007

#1.1.1 Magoo ()

Yeah, it was simply backwards. It's fixed already (wiki)

posted on Monday, May 14. 2007

#2 Jeff Williams wrote (Link) ()

Good catch - we had a transcription error in the page. It's been fixed. Thanks!

posted on Monday, May 14. 2007

#3 Klettergriffe wrote (Link) ()

Very simple. thanks a lot.

posted on Saturday, May 19. 2007

Add Comment

Name:

Email:

Homepage:

In reply to:

Comment:
Standard emoticons like :-) and ;-) are converted to images.

Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.

Calendar