[Owasp-leaders] OWASP vulnerability taxonomy - does it exist or not?

Nam Nguyen namn at bluemoon.com.vn
Tue Dec 16 03:16:35 EST 2008


On Mon, 15 Dec 2008 17:35:55 -0500
"Jeff Williams" <jeff.williams at owasp.org> wrote:

> The idea behind the honeycomb project and later the ASDR is that there is no
> strict taxonomy that will suit all needs for organizing vulnerabilities.
> There are several reasons that you can't fit all these things into a
> taxonomy:

This was also reflected in the OWASP Top Ten 2004 and 2007. The taxonomy changes in these two documents show that there is not a strict, carved in stone type, of taxonomy.

Cheers
Nam

>  - Vulnerabilities chain together (no canonicalization -> blacklist input
> validation -> no output encoding -> injection)
>  - Vulnerabilities are at different levels (lack of input validation vs.
> null-byte injection)
>  - Vulnerabilities overlap (CSRF authentication or authorization)
>  - The same vulnerability can have wildly different threats and impacts
> associated with it
>  - there are more...
> 
> In the most recent incarnations of the ASDR and the 3 Guides, we're taking a
> more positive approach, organizing around security controls.  I recommend
> working with Leo to match the structure that he's come up with for the ASDR.
> 
> --Jeff
> 
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen Craig
> Evans
> Sent: Monday, December 15, 2008 1:36 PM
> To: Owasp leaders
> Subject: [Owasp-leaders] OWASP vulnerability taxonomy - does it exist or
> not?
> 
> Hi,
> 
> Fortify & Gary McGraw donated a vulnerability taxonomy to the OWASP
> Honeycomb Project, which seems to have been quickly absorbed by the
> ASDR project.
> 
> I have kindly asked for a definitive taxonomy - it doesn't have to be
> Kingdom-Category-Subcategory as originally proposed - but what I have
> received so far is "check this for an example". That's not good
> enough.
> 
> I want to use an OWASP-created  or -endorsed taxonomy. No beating
> around the bush: does it exist or not? If it does (or partially),
> please send it to me. If it doesn't, I'll make up something on my own.
> 
> Thanks in advance,
> Stephen
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


-- 
Nam


More information about the OWASP-Leaders mailing list