Task: Evaluate Security Risks
This taks describes the main aspects of ranking and prioritizing the discovered security issues.
Purpose
Rank and prioritize the discovered security risks.
Relationships
InputsMandatory: Optional: External:
  • None
Outputs
Main Description

Some Web application vulnerabilities expose an organization to higher risk than others. It is important to evaluate the risks associated with each vulnerability in order to prioritize their resolution. For example, a vulnerability that is easy to discover and exploit (and would allow an attacker to steal sensitive user data or crash the application) should be fixed before a vulnerability that is very difficult to discover, takes a very highly skilled attacker, and has a low damage potential.

There are different methodologies for evaluating the risks associated with security vulnerabilities. These methodologies typically take into account factors such as ease of discovery, time to exploit, attacker skill level, and so on.

Once you have evaluated the security risks, you should rank the vulnerabilities, and then create a list starting with the highest priority ones on the top.

Steps
Identify the Security Risks Associated with each Vulnerability

Collate the information, analyze the findings, and list the risks associated with each vulnerability.

Rank the Security Issues by Priority

Choose an appropriate risk analysis method, analyze each finding, and rank it using a simple scale (such as High, Medium, or Low).

Properties
Multiple Occurrences
Event Driven
Ongoing
Optional
Planned
Repeatable