[Owasp-codereview] Code Review Guide: Update

Marco M. Morana marco.m.morana at gmail.com
Fri May 30 21:50:06 EDT 2008


Jeff

I could not agree more. The categorization should be defensive oriented such
as by the security control impacted by the vulnerability to drive the need
for a countermeasure. My vote based on my research is to use the Microsoft
ASF (Application Security Framework): Authentication, Authorization, Data
Validation (Input and Output), Data Protection in storage and transit
(Encryption), Session management, Exception Handling And Error Management,
Auditing and Logging. This is also the categorization used by Microsoft
(check JD Meier work) and Foundstone/McAfee TM (check Rudolph Araujo and
Mark Curphey).

Regards

Marco

-----Original Message-----
From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Friday, May 30, 2008 4:21 PM
To: 'Paolo Perego'; Owasp-codereview at lists.owasp.org
Subject: Re: [Owasp-codereview] Code Review Guide: Update

Hi Paolo,

>From a taxonomy perspective, I'd really like to try to stick to the basic
framework set out in the building and testing guides.  There are a zillion
ways to organize vulnerabilities - you can group them by principle, attack,
by control, by technical impact, etc... Check out the Mitre CWE if you want
to see what a mess this can be.

I believe the best way to organize them is by the control they are
associated with - authentication, access control, input validation,
encoding, logging, encryption, error handling, concurrency and so on...  By
sticking close to the associated control, we simplify the organization and
we have a chance of making everything pretty consistent.

Note: The OWASP ASDR project is creating the "Application Security Desk
Reference" which will contain a basic description of all of the principle,
threat agents, attacks, controls, impacts, etc... We're using the wiki to
link all of these so that people can browse the way they want, not by a
single-dimension rigid taxonomy.

--Jeff

-----Original Message-----
From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Paolo Perego
Sent: Friday, May 30, 2008 4:59 AM
To: Owasp-codereview at lists.owasp.org
Subject: Re: [Owasp-codereview] Code Review Guide: Update

2008/5/29 Eoin <eoin.keary at owasp.org>:
[snip]
> Severity  * Effort required to fix  = Win Factor (Easy win to fix)
>  -> This maps to a grid severity Vs Effort (like a risk matrix) shaded
areas
> should be addressed.

Eoin, don't you thinks that "Effort required to fix" it depends to non
predictable external factors such as (how many people the development
team is comprised from? how much skills the developers have?)? It will
be difficult (IMHO) to formalize a score for "fixing effort" in order
to use for our Win Factor score.

What's your opinion about this?

On about Taxonomy or Vulnerability categories, I started writing
something on paper yesterday and I hope in this weekend to populate
some part of the wikipage so Marco, I'll gave the link and than we can
start a thread in mailing list talking about this topic.

Ciao ciao
thesp0nge
_______________________________________________
Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-codereview

_______________________________________________
Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-codereview



More information about the Owasp-codereview mailing list