[Owasp-board] Using CWE / CVE in OWASP Top 10 2007

Andrew van der Stock vanderaj at owasp.org
Mon Jan 29 21:55:40 UTC 2007


Hi Steven,

Thanks for that! :) We reference CWE primarily as the source of the raw
vulnerability data. It might be a good idea to put the relevant CWE's in
near the samples to more fully illuminate the weaknesses we care about.

The release candidate can be found here:
http://www.owasp.org/index.php?title=Top_10_2007

Public comments are welcome until the end of February; feel free to pass the
document around to interested parties.

We've made a few changes since that chapter was PDF'd; making it more
general than just PHP alone. I will add the Suhosin and HardenedPHP links in
a later draft. 

Thanks,
Andrew


On 1/29/07 4:49 PM, "Steven M. Christey" <coley at linus.mitre.org> wrote:

> 
> Hi Andrew,
> 
> I am definitely interested in reviewing the full document.
> 
> Feel free to link to the CVE pages; the links you gave are proper.
> 
> Note that individual CWE nodes can also be referenced, if you would like
> to do that.  For example, PHP File Inclusion (CWE-98) is here:
> 
>   http://cwe.mitre.org/data/definitions/98.html
> 
> And relative path traversal is CWE-23
> (http://cwe.mitre.org/data/definitions/23.html)
> 
> Let me know if OWASP is interested in referencing the CWE's; I could help
> with the mapping.  It would be a good exercise for CWE anyway, since I
> suspect the attack-based nature of web app vulns might not mesh with CWE
> perfectly.
> 
> The full CWE dictionary is at http://cwe.mitre.org/data/dictionary.html ,
> or it could be downloaded.
> 
> FYI - for the PHP chapter you included, you might want to mention the
> Hardened PHP project and Suhosin.  I also noticed a few typos.
> 
> - Steve





More information about the Owasp-board mailing list