OWASP风险评级方法.pdf

OWASP Risk Rating Methodology OWASP风险评级方法论 Contents 目录： ? 1 The OWASP Risk Rating Methodology ? 1.OWASP 风险评级方法论 ? 2 Approach ? 2.方法 ? 3 Step 1: Identifying a Risk ? 3.步骤一：确定风险类别 ? 4 Step 2: Factors for Estimating Likelihood ? 4.步骤二：评估可能性的因素 o 4.1 Threat Agent Factors o 4.1 威胁来源因素 o 4.2 Vulnerability Factors o 4.2 脆弱性因素 ? 5 Step 3: Factors for Estimating Impact ? 5.步骤三：评估影响的因素 o 5.1 Technical Impact Factors o 5.1 技术影响因素 o 5.2 Business Impact Factors o 5.2 业务影响因素 ? 6 Step 4: Determining the Severity of the Risk ? 6 步骤四 : 确定风险的严重程度 o 6.1 Informal Method o 6.1 非正式的方法 o 6.2 Repeatable Method o 6.2 重复方法 o 6.3 Determining Severity o 6.3 确定严重程度 ? 7 Step 5: Deciding What to Fix ? 7 步骤七 : 决定修复内容 ? 8 Step 6: Customizing Your Risk Rating Model ? 8 步骤八 : 自定义您的风险评级模型 o 8.1 Adding factors o 8.1 增加因素 o 8.2 Customizing options nd Drafted by Roy 2/14/2012 Revised 2 by McFord 9.6.2011 OWASP 中国 o 8.2 自定义选项 o 8.3 Weighting factors o 8.3 因素加权 9 References 9 参考 The OWASP Risk Rating Methodology OWASP风险评级方法论 Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Early in the lifecycle, you may identify security concerns in the architecture or design by usingthreat modeling. Later, you may find security issues usingcode review or penetration testing. Or you may not discover a problem until the application is in production and is actually compromised. 发现漏洞很重要， 能够评估对业务相关的风险同样重要。 在软件生命周期的早 期，你可能在架构中定义或者用威胁模型设计安全的概念。