OWASP Risk Rating Methodology OWASP 风险评级方法论 Contents 目录： • • • • • • • • • • • • • • • • 1 The OWASP Risk Rating Methodology 1.OWASP 风险评级方法论 2 Approach 2.方法 3 Step 1: Identifying a Risk 3.步骤一：确定风险类别 4 Step 2: Factors for Estimating Likelihood 4.步骤二：评估可能性的因素 o 4.1 Threat Agent Factors o 4.1 威胁来源因素 o 4.2 Vulnerability Factors o 4.2 脆弱性因素 5 Step 3: Factors for Estimating Impact 5.步骤三：评估影响的因素 o 5.1 Technical Impact Factors o 5.1 技术影响因素 o 5.2 Business Impact Factors o 5.2 业务影响因素 6 Step 4: Determining the Severity of the Risk 6 步骤四: 确定风险的严重程度 o 6.1 Informal Method o 6.1 非正式的方法 o 6.2 Repeatable Method o 6.2 重复方法 o 6.3 Determining Severity o 6.3 确定严重程度 7 Step 5: Deciding What to Fix 7 步骤七: 决定修复内容 8 Step 6: Customizing Your Risk Rating Model 8 步骤八: 自定义您的风险评级模型 o 8.1 Adding factors o 8.1 增加因素 o 8.2 Customizing options Drafted by Roy 2/14/2012 Revised 2nd by McFord 9.6.2011 OWASP 中国 http://www.owasp.org.cn 8.2 自定义选项 8.3 Weighting factors o 8.3 因素加权 o o 9 References 9 参考 The OWASP Risk Rating Methodology OWASP 风险评级方法论 Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Early in the lifecycle, you may identify security concerns in the architecture or design by using threat modeling. Later, you may find security issues using code review or penetration testing. Or you may not discover a problem until the application is in production and is actually compromised. 发现漏洞很重要，能够评估对业务相关的风险同样重要。在软件生命周期的早 期，你可能在架构中定义或者用威胁模型设计安全的概念。随后，也许你会通过 代码审查或渗透测试发现安全问题，也许直到发布后被真正攻破了才发现。 By following the approach here, you'll be able to estimate the severity of all of these risks to your business, and make an informed decision about what to do about them. Having a system in place for rating risks will save time and eliminate arguing about priorities. This system will help to ensure that you don't get distracted by minor risks while ignoring more serious risks that are less well understood. 通过这里提供的方法，你将能够评估所有与业务有关的风险的严重性，从而明 智的决定如何应对。拥有一套风险评级系统，不但节约时间，而且能消除对优先 次序的争论。这种系统可以确保不会因为一些小问题而忽略那些不易理解却更严 重的大风险。 Ideally, there would be a universal risk rating system that would accurately estimate all risks for all organizations. But a vulnerability that is critical to one organization may not be very important to another. 理想的情况是有一个通用的风险评级系统，能够准确评估所有组织的所有风险。 但同一个漏洞，对某些组织来说很关键，对其他单位可能就没那么重要。。 So a basic framework is presented here that you should customize for your organization. The authors have tried hard to make this model simple enough to use, Drafted by Roy 2/14/2012 Revised 2nd by McFord 9.6.2011 OWASP 中国 http://www.owasp.org.cn while keeping enough detail for accurate risk estimates to be made. Please reference the section below on customization for more information about tailoring the model for use in your organization. 所以我们提供一个基础的框架，以便使用者能够按需定制。在确保这个模型简 单易用的同时，也尽力保留了与风险评估准确性相关的足够多的细节。请参阅以 下章节以获取更多信息关于定制适合你组织使用的模型 Approach 方法 There are many different approaches to risk analysis. See the reference section below for some of the most common ones. The OWASP approach presented here is based on these standard methodologies and is customized for application security. Let's start with the standard risk model： 风险分析的方法有很多种，请参看一下参考章节来了解最常用的那些方法。本 文介绍的 OWASP 方法是基于以下这些规范，为应用安全定制的。让我们从标准 的模型开始 Risk = Likelihood * Impact 风险=可能性*影响 In the sections below, we break down the factors that make up "likelihood" and "impact" for application security and show how to combine them to determine the overall severity for the risk. 在本节中，我们分解这些构成应用程序安全“可能性”和“影响”因素，并且展示 如何将它们结合起来，以决定风险的整体严重程度。 • • • • • • • • • • • • #Step 1: Identifying a Risk 步骤一：确定风险类别 #Step 2: Factors for Estimating Likelihood 步骤二：评估可能性的因素 #Step 3: Factors for Estimating Impact 步骤三：评估影响的因素 #Step 4: Determining Severity of the Risk 步骤四: 确定风险的严重程度 #Step 5: Deciding What to Fix 步骤五: 决定修复内容 #Step 6: Customizing Your Risk Rating Model 步骤六: 定制你的风险评级模型 Drafted by Roy 2/14/2012 Revised 2nd by McFord 9.6.2011 OWASP 中国 http://www.owasp.org.cn Step 1: Identifying a Risk 步骤一：确定风险类别 The first step is to identify a security risk that needs to be rated.You'll need to gather information about the threat agent involved, the attack they're using, the vulnerability involved, and the impact of a successful exploit on your business. There may be multiple possible groups of attackers, or even multiple possible business impacts. In general, it's best to err on the side of caution by using the worst-case option, as that will result in the highest o