Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction and implementation OWASP Risk Rating Management

Published byAnis Owen Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction and implementation OWASP Risk Rating Management"— Presentation transcript:

1 Introduction and implementation OWASP Risk Rating Management
Project Leaders Mohammad Febri Ramadlan Ade Yoseman Putra Nanang Eka Cahya P Present by Ade Yoseman Putra asdasdasdasd

2 About Me Ade Yoseman Putra
OWASP Risk Rating Management Project OWASP Jakarta Indonesia Chapter Lead Founder of Security BSide Indonesia Speakers OWASP KL DAY 2016, University Kuala Lumpur Malaysia  Arsenal, Blackhat Asia Singapore 2017 Taiwan International Information Security Organization Summit 2017, OWASP DAY TAIWAN 2017

3 Risk Rating Methodology
Introduction OWASP Risk Rating Methodology

4 Risk Risk is hazards, consequences that may occur as a result of an ongoing process or future event. Risk factor: Intervension bad habit life style bankrupt Non-Intervension gen age sex

5 Process!!!!

6 Future events

7 Risk Management Risk management is management process that encompasses the identification, evaluation and control of risk that may threaten the continuity of a business or a company's activities. General Objectives: reduce expenditure, prevent companies from failure, increase corporate profits, reduce production costs and many things.

8 Risk Assessment Risk Assessment is methods performed to determine whether an activity / risk has an acceptable or not. Good assessment should to be done by a trained team and experienced. Each company or organization have variety of acceptance level.

9 Risk Rating Method Many standard and guidance that will help you:
DREAD (risk assessment model) CVSS OCTAVE OWASP Threat Risk Modeling OWASP Risk Rating Methodology

10 OWASP Threat Risk Modeling https://www. owasp. org/index

11 OWASP Risk Rating Methodology
Let's start with the standard risk model: Risk = Likelihood * Impact How to use OWASP Risk Rating Methodology: #Step 1: Identifying a Risk #Step 2: Factors for Estimating Likelihood #Step 3: Factors for Estimating Impact #Step 4: Determining Severity of the Risk #Step 5: Deciding What to Fix #Step 6: Customizing Your Risk Rating Model

12 #Step 1: Identifying a Risk
The first step is: to identify a security risk that needs to be rated.

13 #Step 2: Factors for Estimating Likelihood
There are a number of factors that can help determine the likelihood. The first set of factors are related to the threat agent involved. Skill level - How technically skilled is this group of threat agents? Security penetration skills (9), network and programming skills (6), advanced computer user (5), some technical skills (3), no technical skills Motive - How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9) Opportunity - What resources and opportunities are required for this group of threat agents to find and exploit this vulnerability? Full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9) Size - How large is this group of threat agents? Developers (2), system administrators (2), intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)

14 #Step 2: Factors for Estimating Likelihood (Continue)
Vulnerability Factors Ease of discovery - How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9) Ease of exploit - How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9) Awareness -How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9) Intrusion detection -How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9)

15 #Step 3: Factors for Estimating Impact
Again, each factor has a set of options: Loss of confidentiality Loss of integrity Loss of availability Loss of accountability Financial damage Reputation damage Non-compliance Privacy violation

16 #Step 4: Determining the Severity of the Risk (1)
Informal Method Likelihood and Impact Levels 0 to < 3 low 3 to < 6 medium 6 to 9 high

17 #Step 4: Determining the Severity of the Risk (2)
Repeatable Method Likelihood Skill level Motive Opportunity Size Ease of discovery Ease of exploit Awareness Intrusion detection Overall Likelihood 5 9 4 9 3 3 4 8 5.625 Medium

18 #Step 4: Determining the Severity of the Risk (2)
Repeatable Method Likelihood Skill level Motive Opportunity Size Ease of discovery Ease of exploit Awareness Intrusion detection Overall Likelihood 5 9 4 9 3 3 4 8 5.625 Medium

19 #Step 4: Determining the Severity of the Risk (2)
Repeatable Method (2) Impact Loss of confidenti-ality Loss of integrity Loss of availability Loss of account-ability Financial damage Reputation damage Non-compliance Privacy violation Overall Impact 5 7 7 7 7 9 7 7 7.0 High

20 #Step 4: Determining the Severity of the Risk (2)
Repeatable Method (2) Impact Loss of confidenti-ality Loss of integrity Loss of availability Loss of account-ability Financial damage Reputation damage Non-compliance Privacy violation Overall Impact 5 7 7 7 7 9 7 7 7.0 High

21 #Step 4: Determining the Severity of the Risk (3)
Determining Severity Overall Risk Severity IMPACT High MEDIUM HIGH CRITICAL Medium LOW Low NOTE LIKELIHOOD

22 #Step 4: Determining the Severity of the Risk (3)
Determining Severity Overall Risk Severity IMPACT High MEDIUM HIGH CRITICAL Medium LOW Low NOTE LIKELIHOOD

23 #Step 5: Deciding What to Fix
After the risks to the application have been classified there will be a prioritized list of what to fix. As a general rule, the most severe risks should be fixed first. It simply doesn't help the overall risk profile to fix less important risks, even if they're easy or cheap to fix. Remember that not all risks are worth fixing, and some loss is not only expected, but justifiable based upon the cost of fixing the issue.

24 #Step 6: Customizing the Risk Rating Model
Having a risk ranking framework that is customizable for a business is critical for adoption. Adding factors Customizing options Weighting factors

25 Tools

26 1. OWASP Risk Rating Template (excel format) https://www. owasp

27 2. OWASP Risk Rating Calc (one website/domain) https://gist. github

28 3. OWASP Risk Rating Management (many website/domain)

29 //category set by OWASP Top 10 - 2013

30 //you can assesst many website as you want (dynamic)

31 Thank you..

Download ppt "Introduction and implementation OWASP Risk Rating Management"

Similar presentations

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.

…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Principles of Information Security, 2nd Edition1 Risk Management.

Principles of Information Security, 2nd Edition1 Risk Management.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
The Information Systems Audit Process

The Information Systems Audit Process
Vulnerability Assessments

Vulnerability Assessments
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
ISMS for Mobile Devices Page 1 ISO/IEC 27001 Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.

ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.
Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet.

Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Slide 1 Using Models Introduced in ISA-d99.00.01 Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

Similar presentations

Ads by Google