Risk Rating - When Is Critical Not? - Following the White Rabbit Blog -
Following the White Rabbit Blog » Risk Rating - When Is Critical Not?
Risk Rating - When Is Critical Not?

Have you ever thought to yourself - "How do they decide what's Critical / High / Medium / Low in the security defect findings?"

If you have then you're not alone. I get asked that question on a regular basis, and unfortunately the answer is not what I would like it to be.  You see, risk-ratings on security defects (I'm using defects vs. vulnerabilities here purposefully... if you follow my talks/posts you already understand why, if not, read some of my earlier posts to catch up) are black/white when it comes to a tool (like WebInspect) which does automated analysis.  The reality is, a tool can't make a conscious decision on a defect rating because (a) it requires conscious thought, and (b) it requires analytical skills a machine won't possess.  This leaves us with an interesting situation where "SQL Injection" is always considered a critical defect, right?

As far as tools are concerned (and this is a limitation of finite-state machines) that SQL Injection defect is always critical, on matter what the context.

Given that we want to do a more, logic-based approach to security defect ranking/rating, we need to understand what exactly that requires.  Here's my proposal (rough draft for now, until I get some more momentum) on what the context of a security defect should be:

  1. Criticality of the containing application (business-critical or not?)
  2. Sensitivity of the data a resultant exploitation would lead to (customer-credit information?  medical information? brochureware?)
  3. Placement of the defect (landing page? buried in an administrative interface requiring multi-stage authentication, etc)
  4. General exploitability (XSS is generally easy to exploit, whereas, buffer overflows are not...)

There you have it.  Obviously this is grossly over-simplified for now, and a significant amount of work needs to be done to standardize, re-word and further formalize the contextual parameters of security defects - but I think that doing this work is paramount in order to start to understand the concepts of risk analysis better.  How can you present security risk to a CIO when you have no idea what the actual risk context is?

If you'd like to participate, or have done work in this area already please ping me directly and I will contact you.  This is a critical area of research and it requires the input of business... otherwise vacuum-think is relatively useless and we'll have more of what we have now - defects without context.

 Thanks for reading!

Posted 10-31-2008 5:51 AM by RafalLos
Filed under: , ,

Comments

Pradeep wrote re: Risk Rating - When Is Critical Not?
on 10-31-2008 7:54 PM

What you are touching upon get covered by us in our security enhanced SDLC process ( Agile) which leverages OWASP and two other Standards modified to fit our environment. We call out specific activities and deliverable's during our SW dev and testing process where security context awareness is discussed with the Agile team.

I can share some of the templates we use in the process. Works for us.

After several iterations, I I devised a model to hash out Security context which works for our organisation and is embedded into our SDLC and QA processes. The model has three axis - Performance, Compliance and Vulnerability.  For each Security data point ( for us, HP Web Inspect  and a number of other tools, defect tracking db, WAF reports etc ) , we apply and try to visualize  the security data point around these three axis and rate it. The rating is then reviewed in business context and a decision called out in the Scrum meeting. So you see, it is a two step process. Round 1 gives a perspective which analyzes defects, vulnerabilities and performance impact a fix/patch/change may cause. Round 2 frees up dev, QA ( hands on ) team to get back to their Sprint and enables informed business decision.

If a Security bug identified by Say Web Inspect , verified by a Code Review exisits on app 1 but app 1 is not subject to PCI, then we rate this bug different from say another security find that indicates CSRF vul on an app of lower rev potential and not subject to complaince. Compliance checks take into account data at risk, so if there is PII/ CC at risk, the rating is adjusted.

Next, we learn that security context awareness needs to be a part of the SDLC/Agile. Companies must have  a well defined "Activity" and a well defined "Deliverable" associated with this step. This is all a big manual process and if there was some way for disperate data to be aggregated and a tool that enabled business vetting, it may help. If you are aware of such such tool, then please let me know.

Join in the Bay Area Secure SDLC discussion and I am sure there may be other smart ideas that we can learn from.

Thanks for taking this initiative. Much needed and indeed a pain point.

Regards

starcitepk@gmail.com

Clerkendweller wrote re: Risk Rating - When Is Critical Not?
on 10-31-2008 9:06 PM

Would "degree of exposure"/"number of records" exposed be a factor to take into account as well?  If you can extract all user names, that would be more important than if only one or the current login's user name are exposed.

Also, have you seen Wills and Brewer's presentation on implementing ISO/BS (1)7799 at www.gammassl.co.uk/.../IISyG.pdf ?

One of the ideas there is ranking controls (see page 46) in an Internal Control System (ICS)  into 9 different classes depending on the ability to detect an event and correct it.  After reading your posting I wondered if "time to detect and fix" might also be a factor to consider i.e. if it is unlikely to be detected, the issue is more important.  This assumes additional knowledge, but it is "context" and the type of thing considered when a test report is examined by management.

RafalLos wrote re: Risk Rating - When Is Critical Not?
on 11-01-2008 5:23 AM

-- Excellent points!

 I suspect the points you've both uncovered are the start of something.  I like the idea of scoring on multiple data-points but too many and it becomes crazy to try and figure out.  Simplicity is good, but too simple and it doesn't capture the true "nature" of the risk context.  Contextualizing is hard, I think it's becoming clearer - and there are no tools that I know of that do it for you without significant effort involved.

 In the back of my mind I have this vision of a tool that takes your inputs to a series of targeted questions (based on the "thing" the risk analysis is being performed on) and then plots a nice, colorful graph which visually illustrates the "contextualized magnitude of qualified risk"...  Me and my crazy ideas right?  Or are they...

Clerkendweller wrote re: Risk Rating - When Is Critical Not?
on 11-01-2008 5:21 PM

Crazy or not, maybe a topic for an OWASP project?

Jeff Williams wrote re: Risk Rating - When Is Critical Not?
on 11-03-2008 12:24 AM

Have you looked at the OWASP Risk Rating Methodology (www.owasp.org/.../OWASP_Risk_Rating_Methodology) or FAIR?

RafalLos wrote re: Risk Rating - When Is Critical Not?
on 11-04-2008 6:41 AM

@Jeff Williams: An excellent find; although I confess I had not looked at it in-depth earlier.  I will give this some thought, and perhaps contribute or comment on this in my next post.  I urge my readers to give Jeff's link (above) a click, a read, and perhaps we can establish some dialogue about it and how it can be applied.

Add a Comment

(required)  
(optional)
(required)  
Remember Me?

Type the numbers and letters above:
Privacy Statement
Powered by Community Server (Non-Commercial Edition), by Telligent Systems