[Owasp-leaders] OWASP vulnerability taxonomy - does it exist or not?

Andrew Petukhov petand at lvk.cs.msu.su
Tue Dec 16 03:38:45 EST 2008


Nam Nguyen пишет:
> On Mon, 15 Dec 2008 17:35:55 -0500
> "Jeff Williams" <jeff.williams at owasp.org> wrote:
> 
>> The idea behind the honeycomb project and later the ASDR is that there is no
>> strict taxonomy that will suit all needs for organizing vulnerabilities.
>> There are several reasons that you can't fit all these things into a
>> taxonomy:
> 
> This was also reflected in the OWASP Top Ten 2004 and 2007. The taxonomy changes in these two documents show that there is not a strict, carved in stone type, of taxonomy.
> 

Well, OWASP Top projects are not taxonomies and were never intended to
be. They are indeed groupings with totally different purpose (comparing
to purposes of taxonomies).

The fact is, good taxonomies have taxonomic categories with the
following characteristics:
1.	Mutually exclusive: the categories do not overlap.
2.	Exhaustive: taken together, the categories include all the
possibilities.
3.	Unambiguous: clear and precise so that classification is not
uncertain, regardless of who is classifying.
4.	Repeatable: repeated applications result in the same classification,
regardless of who is classifying.
5.	Accepted: logical and intuitive so that categories could become
generally approved.
6.	Useful: could be used to gain insight into the field of inquiry.

Moreover, there is no such thing as the ultimate taxonomy. Rather, each
taxonomy is designed for the specific intended usage. Hence, the value
of each taxonomy and its usefulness should be considered along with the
viewpoint and the scope that the authors thereof had intended. Thus, the
authors of the certain taxonomy should explicitly state the intended
usage, the scope and the viewpoint thereof.

And, I think, these are the reasons why OWASP or other communitites had
not adopted common taxonomy:
1. The viewpoint and intended usages are different (i.e. WASC threat
classifcation is performed from an attackers standpoint, it is useless
in source code analysis).
2. Strict taxonomies are often useless. Let me give an example to this:
I can classify vulnerabilities according to the SDLC stage they were
introduced. This is strict taxonomy. However, it's rather useless.

However, I do think, that groupings should be developed with those
requirements in mind and if possible should converge to taxonomies...

Cheers,
Andrew


> Cheers
> Nam
> 
>>  - Vulnerabilities chain together (no canonicalization -> blacklist input
>> validation -> no output encoding -> injection)
>>  - Vulnerabilities are at different levels (lack of input validation vs.
>> null-byte injection)
>>  - Vulnerabilities overlap (CSRF authentication or authorization)
>>  - The same vulnerability can have wildly different threats and impacts
>> associated with it
>>  - there are more...
>>
>> In the most recent incarnations of the ASDR and the 3 Guides, we're taking a
>> more positive approach, organizing around security controls.  I recommend
>> working with Leo to match the structure that he's come up with for the ASDR.
>>
>> --Jeff
>>
>> -----Original Message-----
>> From: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen Craig
>> Evans
>> Sent: Monday, December 15, 2008 1:36 PM
>> To: Owasp leaders
>> Subject: [Owasp-leaders] OWASP vulnerability taxonomy - does it exist or
>> not?
>>
>> Hi,
>>
>> Fortify & Gary McGraw donated a vulnerability taxonomy to the OWASP
>> Honeycomb Project, which seems to have been quickly absorbed by the
>> ASDR project.
>>
>> I have kindly asked for a definitive taxonomy - it doesn't have to be
>> Kingdom-Category-Subcategory as originally proposed - but what I have
>> received so far is "check this for an example". That's not good
>> enough.
>>
>> I want to use an OWASP-created  or -endorsed taxonomy. No beating
>> around the bush: does it exist or not? If it does (or partially),
>> please send it to me. If it doesn't, I'll make up something on my own.
>>
>> Thanks in advance,
>> Stephen
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 



More information about the OWASP-Leaders mailing list