[Owasp-codereview] Code Review Guide: Update

Jeff Williams jeff.williams at owasp.org
Fri May 30 16:21:06 EDT 2008

Hi Paolo,

>From a taxonomy perspective, I'd really like to try to stick to the basic
framework set out in the building and testing guides.  There are a zillion
ways to organize vulnerabilities - you can group them by principle, attack,
by control, by technical impact, etc... Check out the Mitre CWE if you want
to see what a mess this can be.

I believe the best way to organize them is by the control they are
associated with - authentication, access control, input validation,
encoding, logging, encryption, error handling, concurrency and so on...  By
sticking close to the associated control, we simplify the organization and
we have a chance of making everything pretty consistent.

Note: The OWASP ASDR project is creating the "Application Security Desk
Reference" which will contain a basic description of all of the principle,
threat agents, attacks, controls, impacts, etc... We're using the wiki to
link all of these so that people can browse the way they want, not by a
single-dimension rigid taxonomy.


-----Original Message-----
From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Paolo Perego
Sent: Friday, May 30, 2008 4:59 AM
To: Owasp-codereview at lists.owasp.org
Subject: Re: [Owasp-codereview] Code Review Guide: Update

2008/5/29 Eoin <eoin.keary at owasp.org>:
> Severity  * Effort required to fix  = Win Factor (Easy win to fix)
>  -> This maps to a grid severity Vs Effort (like a risk matrix) shaded
> should be addressed.

Eoin, don't you thinks that "Effort required to fix" it depends to non
predictable external factors such as (how many people the development
team is comprised from? how much skills the developers have?)? It will
be difficult (IMHO) to formalize a score for "fixing effort" in order
to use for our Win Factor score.

What's your opinion about this?

On about Taxonomy or Vulnerability categories, I started writing
something on paper yesterday and I hope in this weekend to populate
some part of the wikipage so Marco, I'll gave the link and than we can
start a thread in mailing list talking about this topic.

Ciao ciao
Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org

More information about the Owasp-codereview mailing list