Possible OWASP scoring issue #1
Comments
|
Actually I think there is a bug here, my first 3 risks I've added all had a score of 10 using this OWASP scoring system, if i go into and edit a risk, and change one value from this OWASP score, it changes the score dramatically, for eg If i change it back to 7 it goes up to 2.9. |
|
Thanks Jeffrey. I will take a look into this and get back with you. Can you please provide me with what version of SimpleRisk you are using? Sincerely, Josh Sokol -------- Original message -------- Actually I think there is a bug here, my first 3 risks I've added all had a score of 10 using this OWASP scoring system, if i go into and edit a risk, and change one value from this OWASP score, it changes the score dramatically, for eg I changed Motive from 7 to 6, and the score went from 10, to 2.8, which does seem accurate now. If i change it back to 7 it goes up to 2.9. — |
|
Yep the latest: 20140224-001 |
|
Awesome. Thanks for the quick response. I will investigate and get On 2/25/14, 8:05 PM, jeffrey32 wrote:
|
|
OK, I've confirmed that OWASP updated this metric in October 2013: https://www.owasp.org/index.php?title=OWASP_Risk_Rating_Methodology&diff=167414&oldid=161133 This change will be incorporated into the next release of SimpleRisk, but in the meantime, if you'd like to update the verbiage yourself, just search for "No Technical Skills" in the /includes/display.php page. It only affects the help section and not the rating itself. I'm taking a look at the second issue you reported around the actual scoring now. |
|
There was definitely a bug in the way I was calculating the OWASP score. Part of this is brought on by the fact that the OWASP Risk Scoring Methodology is non-specific about how a final score should be calculated. The way I do this now is by averaging the two impact values together and then the two likelihood values together. Then I multiply both of those values and divide by 10. This is what the Javascript was doing in the scorer when you first score a risk and I should have just done that in the other locations as well. This will be rolled into the next release, but as I just released a new version and don't want to roll a whole new version so quickly after the last for a relatively minor bug, I'm providing the following bundle which you can extract on top of your existing instance to correct both of the issues you reported. No need to run any upgrade.php script for this. https://simplerisk.it/simplerisk-20140227-001.tgz Thanks for reporting the bug and I hope this helps! |
|
Awesome, thanks for the quick fix! |
ghost
mentioned this issue
When submitting a risk and using the OWASP option under Threat Agent Factors/Skill Level, the rating is 1=No technical skills, and 9=Security penetration skills.
But on the OWASP page : https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Under skill level, the values are around the other way, 1=Security penetration skills, and 9=No technical skills.
This is the difference between a risk having a score of 10, and now that I've switched it around 1.1
The text was updated successfully, but these errors were encountered: