This repository was archived by the owner on Apr 11, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 103
How To
adeyosemanputra edited this page Dec 11, 2018
·
2 revisions
Identifying a Risk
The first step is to identify a security risk that needs to be rated. The tester needs to gather information about the threat agent involved, the attack that will be used, the vulnerability involved, and the impact of a successful exploit on the business
Tools : OWASP ZAP ,
Burpsuite ,
OWASP Dependency Check-> OWASP Top 10 2017 A9:2017-Using Components with Known Vulnerabilities ,
OWASP Nettacker
Likelihood factors
| Top 10 OWASP 2017 | Threat Agent Factor | Vulnerability factors | Score | ||||||
| Skill level | Motive | Opportunity | Size | Ease of discovery | Ease of Exploit | Awareness | Intrusion Detection | ||
| Injection | |||||||||
| Broken authentication | |||||||||
| Sensitive data exposure | |||||||||
| XML external entities (XXE) | |||||||||
| Broken access control | |||||||||
| Security misconfiguration | |||||||||
| Cross-site scripting (XSS) | |||||||||
| Insecure deserialization | |||||||||
| Using components with known vulnerabilities | |||||||||
| Insufficient logging and monitoring | |||||||||
Impact factors
| Top 10 OWASP 2017 | Technical Impact | Business Impact | Score | ||||||
| Loss of confidentiality | Loss of integrity | Loss of availability | Loss of accountability | Financial damage | Reputation damage | Non-compliance | Privacy violation | ||
| Injection | |||||||||
| Broken authentication | |||||||||
| Sensitive data exposure | |||||||||
| XML external entities (XXE) | |||||||||
| Broken access control | |||||||||
| Security misconfiguration | |||||||||
| Cross-site scripting (XSS) | |||||||||
| Insecure deserialization | |||||||||
| Using components with known vulnerabilities | |||||||||
| Insufficient logging and monitoring | |||||||||
Overall Risk Severity = Likelihood x Impact