As you might know I’m working on several different security related projects. For example my Vulnerability Scanner, the XSS on PDA Project and some others. Now I’ve got one more

My new Project is a calculation for risks which depends on webapplications. It’s goal is to let security analysts classify the security of a webapplication after or during a pentest. Now of course the question is, why there have to be such a calculation model because there already exist some of them and why should someone would calculate his findings in a webapplication in a mathematical way? Let me explain the goals I’ll reach with this project.

1. If you have a formula how to calculate the security related findings in a webapplication you can do statistics.
2. From the point of view of a security vendor it’s easier to present your work to the management if you have some numbers in your report and/or some charts.
3. Because of the calculation the developers and the other guys which have to fix the flaw can do a better time planning if they know how important which finding is.

Yes these are only a few things why I think it’s important to build up such a calculation system. Now as I already wrote above, the question is still, why I’ll do that because there are already some calculation models like DREAD. It’s true that they exists and they also work really nice but I’ve got two main problems with them:

1. They’re always depending on application security and not specific on webapplication security.
2. They don’t care about the whole information about the business justification of the webapp. So the result of a risk classification didn’t depends on the sensibility of the stored information for example. It’s not important if it’s an e-banking system or a private webiste.

I hope this shows you why for me the existing calculation models don’t work, at least not when I have to present my findings from different webapplications to the same customer.

Ok, to come to a point I’ll introduce you my basic ideas (but it’s not that much yet )

My calculation model will be based on DREAD which includes information about damage, reproducibility, exploitability, affected usersand last but not least discoverability. I think it’s a very good calculations model and its also quiet easy but as I wrote above it also have the same two problems as the others. So, because I think DREAD is the best risk calculation model which exists at the moment, I’ll build mine on the top of it. My goal would be to modify DREAD and include things like is the webapplication only available in the LAN or on the whole internet, how is the authentication done, how sensitive are the stored data on which we can access trough the webapp and of course also how important the webapplication is for a company because that’s one of the main questions, think about Ebay, Google, Amazon and all these big companies which makes their money on their webapplications so they will get real problems if someone break into their stuff but for companies which “only” present themselves on the internet trough their website it’s not that dangerous.

So, this was a small overview of my idea or better say my new project and as soon as I’ve done a bit more I’ll write a new posting in my Blog of course

I’m also open for ideas, what else I should include in my calculation model or which of the points I’ll put in doesn’t make sense from your point of view.