Control your products and have all important info in one place

Appsec product catalog

Example

WRT Calculation

After you have discussed all business risks and bug severities, you can transform them to numbers (weights).

Severity weight

Calculation logic

All we need is just to sum all bugs severities and multiply by business criticality.

WRT = ( (BugN * Severity) + (BugN+1 * Severity) ).... * Business criticality

Let's say we have the "great public site" product with stored XSS, SQLi and Account takeover via Open Redirect.

WRT = ( (XSS) + (SQLi) + (?) ) * Business criticality

If we have a non-typical vulnerability, we must set it's severity by using our special page

From there we get High priority for our Account takeover

WRT = ( 5 + 10 + 5 ) * 0.9 = 18

How to work with WRT

CEO

Must set the risk-appetite, based on business risks

Example

• Any test service DoS (5 bugs allowed) (medium)
• Any technical data disclosure (version of servers, test scripts, unused plugins) (5 bugs allowed) (low)

The target initial (can be changed) risk-appetite will be :