OWASP Risk Impact Questionnaire


The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Aside from publishing two open source tools OWASP ZAP (Zed Attack Proxy) and OWASP Dependency Check (both are tools that ZeroNorth supports), the organization also publishes purposely vulnerable applications like WebGoat, NodeGoat, etc. to teach developers and security groups how to detect and resolve security vulnerabilities.

OWASP Risk Impact Estimate

The OWASP Risk Impact Estimate is an approach to risk analysis and determining the factors for estimating likelihood.

Relating to ZeroNorth

The score that results from completing the OWASP Risk Impact Estimate questionnaire is an attribute of an Application.

There are two options to the questionnaire: Business and Technical. An Application can either have a Business or Technical Score, not both. There are four questions for either option and each answer is weighed differently and depending on the customer’s answer it will affect the overall score.


The Business option deals with “vulnerability factors” like ease of discovery and intrusion detection.


Financial damage: How much financial damage will result from an exploit?

  • None
  • Less than the cost to fix the vulnerability (1)
  • Minor effect on annual profit (3)
  • Significant effect on annual profit (7)
  • Bankruptcy (9)

Reputational damage: Would an exploit result in reputational damage and harm the business?

  • None
  • Minimal damage (1)
  • Loss of major accounts (4)
  • Loss of goodwill (5)
  • Damage (9)

Non-compliance: How much exposure does non-compliance introduce?

  • None
  • Minor violation (2)
  • Clear violation (5)
  • High profile violation (7)

Privacy violation: How much personally identifiable information could be disclosed?

  • None
  • One individual (1)
  • Hundreds of people (4)
  • Thousands of people (5)
  • Millions of people (9)


The Technical option deals with “threat agent factors” like motive and opportunity.


Loss of confidentiality: How much data could be disclosed and how sensitive is it?

  • None
  • Minimal non-sensitive data disclosed (2)
  • Minimal critical or extensive non-sensitive data disclosed (6)
  • Extensive critical data disclosed (7)
  • All data disclosed (9)

Loss of integrity: How much data could be corrupted and how damaged is it?

  • None
  • Minimal slightly corrupt data (1)
  • Minimal seriously corrupt data (3)
  • Extensive slightly corrupt data (5)
  • Extensive seriously corrupt data (7)
  • All data totally corrupt (9)

Loss of accountability: How much data could be corrupted and how damaged is it?

  • None
  • Fully traceable (1)
  • Possibly traceable (7)
  • Completely anonymous (9)

Loss of availability: How much service could be lost and how vital is it?

  • None
  • Minimal secondary service interrupted (1)
  • Minimal primary or extensive secondary services interrupted (5)
  • Extensive primary services interrupted (7)
  • All services completely lost (9)


End-users can view the score resulting from answering the questionnaire in znOPS > Applications OR in znHUB > Enterprise Dashboard > Individual Application Risk widget and hover over the bubbles which represent Applications > view the “Impact” score.

View from Enterprise Dashboard