Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 3 additions & 56 deletions 2025/docs/en/0x02_2025-What_are_Application_Security_Risks.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,62 +3,9 @@ Attackers can potentially use many different paths through your application to d

![Calculation diagram](../assets/2025-algorithm-diagram.png)

<table>
<tr>
<td>
<strong>Threat Agents</strong>
</td>
<td>
<strong>Attack \
Vectors</strong>
</td>
<td>
<strong>Exploitability</strong>
</td>
<td>
<strong>Likelihood of Missing Security</strong>
<p style="text-align: center">

<strong>Controls</strong>
</td>
<td>
<strong>Technical</strong>
<p style="text-align: center">

<strong>Impacts</strong>
</td>
<td>
<strong>Business</strong>
<p style="text-align: center">

<strong>Impacts</strong>
</td>
</tr>
<tr>
<td>
<strong>By environment, \
dynamic by situation picture</strong>
</td>
<td>
<strong>By Application exposure (by environment)</strong>
</td>
<td>
<strong>Avg Weighted Exploit</strong>
</td>
<td>
<strong>Missing Controls \
by average Incidence rate \
Weighed by coverage</strong>
</td>
<td>
<strong>Avg Weighted Impact</strong>
</td>
<td>
<strong>By Business</strong>
</td>
</tr>
</table>

| Threat Agents | Attack Vectors | Exploitability | Likelihood of Missing Security Controls | Technical Impacts | Business Impacts |
| --- | --- | --- | --- | --- | --- |
| Varies by environment and context | Based on application exposure | Average weighted exploitability | Weighted by incidence rate and control coverage | Average weighted impact | Based on business impact |

In our Risk Rating we have taken into account the universal parameters of exploitability, average likelihood of missing security controls for a weakness and its technical impacts.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ If you are starting a program from scratch, or you find OWASP SAMM or DSOMM ‘t

* Review your current system development life cycle and all software security activities, tooling, policies, and processes, then document them.

* For new software, add one or more security activities to each phase of the system development life cycle (SDLC). Below we offer many suggestions of what you can do below. Ensure you perform these new activities on every new project or software initiative, this way you will know each new piece of software will be delivered at an acceptable security posture for your organizations.
* For new software, add one or more security activities to each phase of the system development life cycle (SDLC). Below we offer many suggestions of what you can do. Ensure you perform these new activities on every new project or software initiative, this way you will know each new piece of software will be delivered at an acceptable security posture for your organizations.

* Select your activities to ensure your final product meets an acceptable level of risk for your organization.

Expand Down