Beruflich Dokumente
Kultur Dokumente
OwaisAhmed,SantiagoAragn,
VladyslavCherednychenko,MohammedHabib
UniversityofTwente
WeaimtoanalyzetheOWASPRiskRatingMethodology(ORRM)proposedin[1].The
methodologypresentsaframeworktoestimateriskassociatedwithrunningwebapplication.
ORRMtriestostriketherightbalancebetweenusabilityanddetailnessinordertotoprovide
accurateriskestimateswhichaidsinmakinginformeddecisions.
TheORRMapproachisbasedonthetraditionalriskmodel:
Risk=Likelihood*Impact
Tocomputetheseverityoftheriskitestimatesthelikelihoodofthreatagentfactors(LTF)and
vulnerabilityfactors(LVF)andtheimpactoftechnicalfactors(ITF)andbusinessfactors(IBF)
Eachfactoranditslikelihoodconsistofdifferentfieldsthathelptodescribesucharea,i.e.LVF
isdescribedbyEaseofdiscovery,Easeofexploit,andIntrusiondetection.Eachofthese
fieldscanbegradedfrom0to9,Finallytocomputeagradefactor/likelihood,allthefieldsthat
describethefactors/likelihoodareaveragedandthenmappedtothesethreecategories:
LikelihoodandImpactLevels
0to<3
LOW
3to<6
MEDIUM
6to9
HIGH
WewouldliketohighlightthreepossibleenhancementsthatcanbeappliedtotheORRM
framework.
Thefieldsdescribingthelikelihoodandfactorscouldhavemorestandardizednames
anddescriptions,i.e.FAIRconceptscouldbeused[2].
Theaverageofallthefactorsdescribinglikelihoodandimpactproducesahuge
informationloss.Moreover,therearefactorsthatbyitsownnatureshouldcontribute
moretotheriskthanothers,i.e.forsomeapplicationtheLossofaccountabilityisnot
asimportantastheLossofavailability.Thus,weproposetoaddanimportance
coefficient(IC)toeachofthefields.
TocontributetotheOWASPcommunityweproposetocomputetheICofeachfield
basedonthefeedbackgivenbythecommunity,i.e.adatabasecontainingweb
applicationtypesandcoefficientsused.Moreover,ifacompanyXusedasetof
coefficientsSandafteranincidenttheestimatedriskdiffersfromthereality,Xcanbe
fedintothedatabasesystemwiththisinformationandusingbayesianprobabilityamore
accuratesetofcoefficientsScanbecomputed.
[1]OWASPRiskRatingMethodology.Availableat:
https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
[2]JackA.Jones,(2005)AnIntroductiontoFactorAnalysisofInformationRisk(FAIR)RiskManagementInsight