[Owasp-leaders] OWASP vulnerability taxonomy - does it exist or not?

Jeff Williams jeff.williams at owasp.org
Mon Dec 15 17:35:55 EST 2008

The idea behind the honeycomb project and later the ASDR is that there is no
strict taxonomy that will suit all needs for organizing vulnerabilities.
There are several reasons that you can't fit all these things into a
 - Vulnerabilities chain together (no canonicalization -> blacklist input
validation -> no output encoding -> injection)
 - Vulnerabilities are at different levels (lack of input validation vs.
null-byte injection)
 - Vulnerabilities overlap (CSRF authentication or authorization)
 - The same vulnerability can have wildly different threats and impacts
associated with it
 - there are more...

In the most recent incarnations of the ASDR and the 3 Guides, we're taking a
more positive approach, organizing around security controls.  I recommend
working with Leo to match the structure that he's come up with for the ASDR.


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen Craig
Sent: Monday, December 15, 2008 1:36 PM
To: Owasp leaders
Subject: [Owasp-leaders] OWASP vulnerability taxonomy - does it exist or


Fortify & Gary McGraw donated a vulnerability taxonomy to the OWASP
Honeycomb Project, which seems to have been quickly absorbed by the
ASDR project.

I have kindly asked for a definitive taxonomy - it doesn't have to be
Kingdom-Category-Subcategory as originally proposed - but what I have
received so far is "check this for an example". That's not good

I want to use an OWASP-created  or -endorsed taxonomy. No beating
around the bush: does it exist or not? If it does (or partially),
please send it to me. If it doesn't, I'll make up something on my own.

Thanks in advance,
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list