[Owasp-board] Using CWE / CVE in OWASP Top 10 2007
Andrew van der Stock
vanderaj at owasp.org
Mon Jan 29 21:55:40 UTC 2007
Hi Steven,
Thanks for that! :) We reference CWE primarily as the source of the raw
vulnerability data. It might be a good idea to put the relevant CWE's in
near the samples to more fully illuminate the weaknesses we care about.
The release candidate can be found here:
http://www.owasp.org/index.php?title=Top_10_2007
Public comments are welcome until the end of February; feel free to pass the
document around to interested parties.
We've made a few changes since that chapter was PDF'd; making it more
general than just PHP alone. I will add the Suhosin and HardenedPHP links in
a later draft.
Thanks,
Andrew
On 1/29/07 4:49 PM, "Steven M. Christey" <coley at linus.mitre.org> wrote:
>
> Hi Andrew,
>
> I am definitely interested in reviewing the full document.
>
> Feel free to link to the CVE pages; the links you gave are proper.
>
> Note that individual CWE nodes can also be referenced, if you would like
> to do that. For example, PHP File Inclusion (CWE-98) is here:
>
> http://cwe.mitre.org/data/definitions/98.html
>
> And relative path traversal is CWE-23
> (http://cwe.mitre.org/data/definitions/23.html)
>
> Let me know if OWASP is interested in referencing the CWE's; I could help
> with the mapping. It would be a good exercise for CWE anyway, since I
> suspect the attack-based nature of web app vulns might not mesh with CWE
> perfectly.
>
> The full CWE dictionary is at http://cwe.mitre.org/data/dictionary.html ,
> or it could be downloaded.
>
> FYI - for the PHP chapter you included, you might want to mention the
> Hardened PHP project and Suhosin. I also noticed a few typos.
>
> - Steve
More information about the Owasp-board
mailing list