[Owasp-leaders] OWASP vulnerability taxonomy - does it exist or not?

Leonardo Cavallari Militelli leonardocavallari at gmail.com
Tue Dec 16 07:38:35 EST 2008


Hello Stephen,

Actually, Fortify's and other donated contents are being updated by ASDR
Project. Everything is open and can be accesses thru this page:
https://www.owasp.org/index.php/ASDR_Table_of_Contents

What we are doing by now is discussing a concise set of categories for each
topic, based on left side of this mindmap:
https://www.owasp.org/images/e/ef/OWASP_ASDR.jpeg, that should be used to
classify all articles in ASDR. This was made considering Cigital/McGraw's
kingdom concepts among other existent taxonomies (CWE, CVE, etc).

As Jeff pointed out, it's really dificult to define something that can
handle everything into a unique taxonomy, what we are trying to do is making
it as comprehensive as we can without overlaping.

Any comment regarding above classification is much desired!
Best,
Leo


On Tue, Dec 16, 2008 at 9:10 AM, Stephen Craig Evans <
stephencraig.evans at gmail.com> wrote:

> So, you are saying that the Fortify document donated to OWASP was
> never updated and it's not open to the public? Where is it?
>
> I don't understand how you can do metrics (or reporting) without a
> taxonomy.
>
> Cheers,
> Stephen
>
> On Tue, Dec 16, 2008 at 6:35 AM, Jeff Williams <jeff.williams at owasp.org>
> wrote:
> > The idea behind the honeycomb project and later the ASDR is that there is
> no
> > strict taxonomy that will suit all needs for organizing vulnerabilities.
> > There are several reasons that you can't fit all these things into a
> > taxonomy:
> >  - Vulnerabilities chain together (no canonicalization -> blacklist input
> > validation -> no output encoding -> injection)
> >  - Vulnerabilities are at different levels (lack of input validation vs.
> > null-byte injection)
> >  - Vulnerabilities overlap (CSRF authentication or authorization)
> >  - The same vulnerability can have wildly different threats and impacts
> > associated with it
> >  - there are more...
> >
> > In the most recent incarnations of the ASDR and the 3 Guides, we're
> taking a
> > more positive approach, organizing around security controls.  I recommend
> > working with Leo to match the structure that he's come up with for the
> ASDR.
> >
> > --Jeff
> >
> > -----Original Message-----
> > From: owasp-leaders-bounces at lists.owasp.org
> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen
> Craig
> > Evans
> > Sent: Monday, December 15, 2008 1:36 PM
> > To: Owasp leaders
> > Subject: [Owasp-leaders] OWASP vulnerability taxonomy - does it exist or
> > not?
> >
> > Hi,
> >
> > Fortify & Gary McGraw donated a vulnerability taxonomy to the OWASP
> > Honeycomb Project, which seems to have been quickly absorbed by the
> > ASDR project.
> >
> > I have kindly asked for a definitive taxonomy - it doesn't have to be
> > Kingdom-Category-Subcategory as originally proposed - but what I have
> > received so far is "check this for an example". That's not good
> > enough.
> >
> > I want to use an OWASP-created  or -endorsed taxonomy. No beating
> > around the bush: does it exist or not? If it does (or partially),
> > please send it to me. If it doesn't, I'll make up something on my own.
> >
> > Thanks in advance,
> > Stephen
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20081216/9caa8f3b/attachment.html 


More information about the OWASP-Leaders mailing list