Risk Assessment
It is possible to assess the risk as well as the remaining risk of an attack scenario. For the sake of simplicity, only the assessment of the risk is referred to, although (almost) all points also apply to the remaining risk.
The risk can be assessed in different views:
- Attack Scenario
- Risk
- Dashboard
The Risk and Dashboard views contain only dropdowns for the risk metrics. To use all available assessment features, the Attack Scenario view must be used.
Attack Scenario View
The menu (No. 1) can be used to optionally add an CVSS or OWASP Risk Rating score. Furthermore, the risk rating assessment can be adapted from another attack scenario (which also links both attack scenarios). Scores can be edited in a separate dialog (No. 2). It is possible to assess the risk using multiple risk assessment methods (No. 3).
Each metric of a method is shown as individual dropdown. There may be additional information and explanation available for a metric (No. 4). It is possible to link a predefined assumption/constraint (No. 5) (see Assumptions & Constraints). If a metric is determined using two sub-metrics, a matrix can be opened to view and edit the metric (No. 6).
It is possible to add/edit/delete notes for each metric (No. 7).
Info
Notes may be added automatically, if a metric value is set automatically by code.
CVSS Dialog
The two CVSS versions 3.1 and 4.0 are supported (No. 1). Both can be used, but only the default CVSS is shown the attack scenario view. Each metric has a description and the possibility to add notes (No. 2). The resulting vector can be copied (No. 4) and also set by pasting in the field (No. 3). The vector can also be viewed in the CVSS calculator provided by NIST NVD (No. 5).
OWASP Risk Rating Dialog
Editing the OWASP Risk Rating score is straightforward. There is also the possibility to view the vector in the Risk Rating Calculator provided by OWASP by clicking on the vector.