The OWASP Risk Rating Methodology is a commonly used approach for estimating the severity of security risks. In this model, security risks are assigned ratings (ranging from 0 to 9) for 16 individual risk factors. Calculations are then made to determine the relative Likelihood and Impact of threats to a business.
We recently helped a client implement this model in Jira with the help of Abacus—the Jira Calculator. Here's how it worked:
Working in Jira
The first step in the process was to create 16 Custom Fields in Jira corresponding to the 16 Risk Factors used in OWASP methodology. Risk Factors are divided into subgroups, including:
- Factors for Estimating Likelihood:
- 4 Threat Agent Factors
- 4 Vulnerability Factors
- Factors for Estimating Impact:
- 4 Technical Impact Factors
- 4 Business Impact Factors
For our client's "Risk" Issue Type in Jira, we configured 4 tabs on the Create Issue Screen to correspond to each of the four subgroups (Threat Agent, Vulnerability, Threat Impact, and Business Impact). On each of these tabs, the related factors were listed with dropdown menus ranging from 0 to 9 for assigning the relative risk rating of each factor.
A fifth tab was created to display the average Risk Ratings (0 to 9) and the corresponding Impact Levels (Low, Medium, High) for subgroups.
Working in Abacus
In order to calculate average Risk Ratings for the subgroups and assign the corresponding Impact Levels, we used Abacus, an app specifically designed for creating calculations in Jira.
Using Abacus, we applied the "Average" function to create formulas for the following subgroups:
- Overall Likelihood formula averages the 4 Threat Agent Factors and the 4 Vulnerability Factors
- Overall Technical Impact formula averages the 4 Technical Impact Factors
- Overall Business Impact formula averages the 4 Business Impact Factors
Next, an Execution Plan named "Severity" was created to determine when and how the formulas would run. The Issue Events "Issue Created" and "Issue Updated" were selected to trigger the formulas. Now, whenever an issue is created or updated, the formulas will run automatically.
Finally, Execution Groups were used to Edit Issue Fields with the Impact Levels for each of the average Risk Ratings. Using IF and ELSE IF statements along with JQL, we were able to edit the fields with the corresponding Impact Level.
Conclusion
Using Abacus and Jira together helped our client monitor the Likelihood, Technical Impact, and Business Impact of issues facing their company. Abacus can be used to create a wide variety of simple and complex numerical, date, and duration formulas.
Is it time to solve your Jira?