[Owasp-board] Using CWE / CVE in OWASP Top 10 2007

Andrew van der Stock vanderaj at owasp.org
Mon Jan 29 21:55:40 UTC 2007

Hi Steven,

Thanks for that! :) We reference CWE primarily as the source of the raw
vulnerability data. It might be a good idea to put the relevant CWE's in
near the samples to more fully illuminate the weaknesses we care about.

The release candidate can be found here:

Public comments are welcome until the end of February; feel free to pass the
document around to interested parties.

We've made a few changes since that chapter was PDF'd; making it more
general than just PHP alone. I will add the Suhosin and HardenedPHP links in
a later draft. 


On 1/29/07 4:49 PM, "Steven M. Christey" <coley at linus.mitre.org> wrote:

> Hi Andrew,
> I am definitely interested in reviewing the full document.
> Feel free to link to the CVE pages; the links you gave are proper.
> Note that individual CWE nodes can also be referenced, if you would like
> to do that.  For example, PHP File Inclusion (CWE-98) is here:
>   http://cwe.mitre.org/data/definitions/98.html
> And relative path traversal is CWE-23
> (http://cwe.mitre.org/data/definitions/23.html)
> Let me know if OWASP is interested in referencing the CWE's; I could help
> with the mapping.  It would be a good exercise for CWE anyway, since I
> suspect the attack-based nature of web app vulns might not mesh with CWE
> perfectly.
> The full CWE dictionary is at http://cwe.mitre.org/data/dictionary.html ,
> or it could be downloaded.
> FYI - for the PHP chapter you included, you might want to mention the
> Hardened PHP project and Suhosin.  I also noticed a few typos.
> - Steve

More information about the Owasp-board mailing list