[Owasp-leaders] Fwd: [WEB SECURITY] WASC Announcement: WASC Threat Classification v2.0 Published

Mon Jan 4 05:48:52 EST 2010

I was contacted by Robert Auger sometime ago about plugin-in technical and
business impacts articles from OWASP
ASDR<www.owasp.org/index.php/Category:OWASP_ASDR_Project>to the TC,
but he decided to put it aside for a while. I like the idea to
have WASC working together.

TC is only for attacks and weakness, it has a well defined objective and
limited number of articles, while ASDR is a more robust reference guide,
with tons of structured articles and interconnected with other OWASP guides
(but many incomplete and out-of-date too ) that helps on research, learning
and threat modeling.

As the ASDR project leader, I have to say that the project is running at
minor paces and It's necessary to have more guys working on it in order to
produce a really usable guide.

I take this chance to invite leaders willing to cooperate with ASDR and use
your expertise to build missing or out-of-date articles thus cooperating to
the project. Send me an email and I'll give directions.

Cheers,
Leo Cavallari

On Mon, Jan 4, 2010 at 1:55 AM, Jeff Williams <jeff.williams at owasp.org>wrote:

>  If you follow the model in the new OWASP Top 10, the attacks and
> weaknesses are two of the parts of any appsec risk. I’m glad to see them
> taking the approach that security problems are (in general) a problem with
> security controls.  This is exactly the approach we’ve adopted in many OWASP
> materials, particularly the ASVS and ESAPI.
>
>
>
> --Jeff
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Jim Manico
> *Sent:* Sunday, January 03, 2010 9:59 PM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Fwd: [WEB SECURITY] WASC Announcement: WASC
> Threat Classification v2.0 Published
>
>
>
> My personal opinion is that it is a useful attack-centric perspective of
> the AppSec world. It would not be difficult to cross-correlate the Top Ten,
> ESAPI and ASVS and the WASC TC. The relations are fairly straight forward.
> Any they Wikified it, power to them.
>
> On this topic - I am still bullish on a WASC-OWASP merger. Perhaps offer
> WASC leadership a few seats on the board. Robert Auger and crew are good
> people. http://www.webappsec.org/officers.shtml
>
> - Jim
>
>
>
>  Question: What is OWASP's position of WASC TC v2.0 and how does it relate
> to the current materials we have published at OWASP?
>
>
>
> Note that these materials (
> http://projects.webappsec.org/Threat-Classification) are are released
> under CC 3.0
>
>
>
> Dinis Cruz
>
> ---------- Forwarded message ----------
> From: <robert at webappsec.org>
> Date: Sat, Jan 2, 2010 at 12:56 AM
> Subject: [WEB SECURITY] WASC Announcement: WASC Threat Classification v2.0
> Published
> To: websecurity at webappsec.org
>
>
> The Web Application Security Consortium (WASC) is pleased to announce the
> long awaited release of the WASC
> Threat Classification v2.0. The Threat Classification is an effort to
> classify the weaknesses, and attacks
> that can lead to the compromise of a website, its data, or its users. This
> document's primarily purpose is
> to serve as a reference guide for common attacks and weaknesses.
>
> Main goals
> - Refine document scope, terminology, and purpose
> - Update existing sections when applicable
> - Add missing attacks and weaknesses
> - Creation of a firm, scalable base foundation allowing for the
> introduction of data views allowing for various
>  forms of data representation
> - Addition of attack and weakness reference identifiers (WASC-<xx>)
> - Publication of two data views
>
>
> WASC Threat Classification v2.0 Online
> http://projects.webappsec.org/Threat-Classification
>
> Using the Threat Classification
> http://projects.webappsec.org/Using-the-Threat-Classification
>
> Threat Classification Authors and Contributors
> http://projects.webappsec.org/Threat-Classification-Authors
>
> WASC Threat Classification FAQ
> http://projects.webappsec.org/Threat-Classification-FAQ
>
> WASC Reference Identifier Grid
> http://projects.webappsec.org/Threat-Classification-Reference-Grid
>
> Threat Classification Data Views
> http://projects.webappsec.org/Threat-Classification-Views
>
>
> We have already started scoping the next minor release of the Threat
> Classification, and are seeking contributors.
> If you are interested in participating in the next release of the WASC
> Threat Classification please contact us at
> contact_at_ at webappsec.org with the subject 'WASC Threat Classification
> Contribution Inquiry'.
>
> Questions can be directed to Robert Auger (contact_at_webappsec.org) with
> the subject 'WASC TC Inquiry'.
>
>
> Regards,
> - Robert Auger
> WASC Threat Classification Project leader/WASC Co Founder
> http://projects.webappsec.org/Threat-Classification
> http://www.webappsec.org/ The Web Application Security Consortium
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>
>  --
>
>
>
> - Jim Manico
>
> OWASP ESAPI Project Manager
>
> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>
>
>
> OWASP Podcast Host/Producer
>
> http://www.owasp.org/index.php/OWASP_Podcast
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100104/e1bf5b67/attachment.html 