Skip to content

Restored Risk Assessment Model #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fubuloubu wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Restored Risk Assessment Model #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dee3d63
Restored risk-assessment
fubuloubu Jun 25, 2018
9045a03
Added link to risk assessment model
fubuloubu Jun 25, 2018
76ce025
Added risk assessment to index
fubuloubu Jun 25, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
* [DNS Example](development/software-requirements/dns-example.md)
* [Testing](development/testing.md)
* [Traceability](development/traceability.md)
* [Risk Assessment](development/risk-assessment.md)
* [Managing Changes](development/managing-changes.md)
* [Peer Reviews](development/peer-reviews.md)

Expand Down
20 changes: 20 additions & 0 deletions development/risk-assessment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Risk Assessment

In order to communicate on severity, a common model of risk inherent to smart contract issues discovered is required.
We will leverage the OWASP model, a common framework in software security, to develop this model.

The OWASP model specifies that `Risk = Likelihood x Impact`. In order to quantify an identified risk
and communicate it to interested parties, it is necessary to quantify the Likelihood that an issue with occur
and the Impact it will have on the platform or network.

We will perform this analysis at the method level of each smart contract, which will provide
a comprehensive analysis of all the possible calls.

![](../.gitbook/assets/risk_levels.png)

Specifically, we define Likelihood as the access control level (ACL) of a given method,
and Impact as the ability of that method to affect the use or ownership of valuable assets
held in the state of Ethereum or otherwise block their intended use.

Understanding the risk inherent in the different functional components of your smart contract system
is the first step towards performing an assessment on whether a fix is required or can be deferred.
2 changes: 1 addition & 1 deletion security-audit/final-report.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ It should contain:
* The final Audit Prep Report
* A list of issues found
* Any mitigation or responses are contained here
* Uses the OWASP Model
* Uses the [Risk Assessment](../development/risk-assessment.md) Model to define severity
* Final signature by the auditor that they performed an audit on your code

This report is a attestation by the auditor that they did what they mentioned in their final report. It is not an endorsement of the underlying product and should not be used for marketing purposes. It is also not a security or correctness guarantee of the code.
Expand Down