From dee3d63cf68231ec6f34e107eb61176fd2dce927 Mon Sep 17 00:00:00 2001 From: Bryant Eisenbach Date: Sun, 24 Jun 2018 21:40:56 -0400 Subject: [PATCH 1/3] Restored risk-assessment --- development/risk-assessment.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 development/risk-assessment.md diff --git a/development/risk-assessment.md b/development/risk-assessment.md new file mode 100644 index 0000000..9a5282b --- /dev/null +++ b/development/risk-assessment.md @@ -0,0 +1,20 @@ +# Risk Assessment + +In order to communicate on severity, a common model of risk inherent to smart contract issues discovered is required. +We will leverage the OWASP model, a common framework in software security, to develop this model. + +The OWASP model specifies that `Risk = Likelihood x Impact`. In order to quantify an identified risk +and communicate it to interested parties, it is necessary to quantify the Likelihood that an issue with occur +and the Impact it will have on the platform or network. + +We will perform this analysis at the method level of each smart contract, which will provide +a comprehensive analysis of all the possible calls. + +![](../.gitbook/assets/risk_levels.png) + +Specifically, we define Likelihood as the access control level (ACL) of a given method, +and Impact as the ability of that method to affect the use or ownership of valuable assets +held in the state of Ethereum or otherwise block their intended use. + +Understanding the risk inherent in the different functional components of your smart contract system +is the first step towards performing an assessment on whether a fix is required or can be deferred. From 9045a034cb61059a19b9b5f3d9fc6582afb19535 Mon Sep 17 00:00:00 2001 From: Bryant Eisenbach Date: Sun, 24 Jun 2018 21:48:52 -0400 Subject: [PATCH 2/3] Added link to risk assessment model --- security-audit/final-report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-audit/final-report.md b/security-audit/final-report.md index 59acae4..ae11118 100644 --- a/security-audit/final-report.md +++ b/security-audit/final-report.md @@ -10,7 +10,7 @@ It should contain: * The final Audit Prep Report * A list of issues found * Any mitigation or responses are contained here - * Uses the OWASP Model + * Uses the [Risk Assessment](../development/risk-assessment.md) Model to define severity * Final signature by the auditor that they performed an audit on your code This report is a attestation by the auditor that they did what they mentioned in their final report. It is not an endorsement of the underlying product and should not be used for marketing purposes. It is also not a security or correctness guarantee of the code. From 76ce025772621642add03628c88c87cce5d27243 Mon Sep 17 00:00:00 2001 From: Bryant Eisenbach Date: Sun, 24 Jun 2018 21:49:50 -0400 Subject: [PATCH 3/3] Added risk assessment to index --- SUMMARY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SUMMARY.md b/SUMMARY.md index 6993eaa..55c9f62 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -18,6 +18,7 @@ * [DNS Example](development/software-requirements/dns-example.md) * [Testing](development/testing.md) * [Traceability](development/traceability.md) +* [Risk Assessment](development/risk-assessment.md) * [Managing Changes](development/managing-changes.md) * [Peer Reviews](development/peer-reviews.md)