OWASP Risk Rating Management Project


There are many methodologies that can be used for security assessments, particularly website security assessments. OWASP already has a methodology for website security assessments, called the “OWASP Risk Rating Methodology”. OWASP also provides an Excel template to calculate the risk score.

But some users do not know how to assess their own websites. Some users may have difficulty understanding a methodology, or they do not understand the threat agent factor, the skill level or vulnerability factor, or ease of exploit. Another problem occurs when an owner must assess many websites; they must create multiple copies of the OWASP Risk score template, increasing the likelihood of losing the file or data in the process.

The OWASP Risk Rating Management Project will help owners/developers to avoid these problems when they implement a website security assessment. Even if they have many websites to assess, the Risk Rating Management Project can handle and record the risk score into its database, allowing the owner to assess and manage each website more easily. The owner can also use this methodology in different contexts, for example in a penetration testing project, or a security assessment.



OWASP Risk Rating Management Project is a tool aimed to educate the user who wants to assess more than one web application using OWASP risk rating mathodologies.

Installation Guide

  • Clone or download repository from: https://github.com/mohammadfebrir/owasp-riskrating.git
  • Save on your local htdocs (xampp/wampp) or /var/www/html/ (lammp)
  • Install composer requirement
  • Run in command: php artisan serve

More details: OWASP Risk Rating


How to use OWASP Risk Rating Methodology:

  • Step 1: Identifying a Risk
  • Step 2: Factors for Estimating Likelihood
  • Step 3: Factors for Estimating Impact
  • Step 4: Determining Severity of the Risk
  • Step 5: Deciding What to Fix
  • Step 6: Customizing Your Risk Rating Model


The target audience for this Working Session is:

  • OWASP ZAP, Arachni, and other OSS scanner developers
  • Burp, Acunetix, and other commercial scanner developers
  • JavaScript front-end developers
  • Web application developers
  • Security auditors
  • Security consultants
  • Pen testers
  • Security analysts

Working materials

Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions)


…add content…

Back to list of all Working Sessions and Tracks

Edit this page here