Task: Evaluate Security Risks
This takes describes the main aspects of ranking and prioritizing the discovered security issues.
Disciplines: Test
Purpose
Rank and prioritize the discovered security risks.
Relationships
RolesPrimary Performer: Additional Performers:
InputsMandatory:
    Optional:
      Outputs
        Main Description

        Some Web application vulnerabilities expose an organization to higher risk than others. It is important to evaluate the risks associated with each vulnerability in order to prioritize their resolution. For example, a vulnerability that is easy to discover and exploit (and would allow an attacker to steal sensitive user data or crash the application) should be fixed before a vulnerability that is very difficult to discover, takes a very highly skilled attacker, and has a low damage potential.

        There are different methodologies for evaluating the risks associated with security vulnerabilities. These methodologies typically take into account factors such as ease of discovery, time to exploit, attacker skill level, and so on.

        Once you have evaluated the security risks, you should rank the vulnerabilities, and then create a list starting with the highest priority ones on the top.

        Steps
        Identify the Security Risks Associated with each Vulnerability

        Collate the information, analyze the findings, and list the risks associated with each vulnerability.

        Rank the Security Issues by Priority

        Choose an appropriate risk analysis method, analyze each finding, and rank it using a simple scale (such as High, Medium, or Low).