[Owasp-leaders] OWASP vulnerability taxonomy - does it exist or not?

Pravir Chandra chandra at list.org
Tue Dec 16 19:14:29 EST 2008


I agree with lots that has already been said, but in terms of hard
documents, there is the slightly dated taxonomy that was in CLASP. After
that, it got moved to the wiki and many more vulns and categories were added
(some overlapping) to create the current OWASP Vulnerability category (
http://www.owasp.org/index.php/Category:Vulnerability).
The folks at MITRE (and many security product/consulting companies) have
been pushing the CWE for use as a standard taxonomy for 'bad stuff that
software have'.

p.

On Tue, Dec 16, 2008 at 4:38 AM, Leonardo Cavallari Militelli <
leonardocavallari at gmail.com> wrote:

> Hello Stephen,
>
> Actually, Fortify's and other donated contents are being updated by ASDR
> Project. Everything is open and can be accesses thru this page:
> https://www.owasp.org/index.php/ASDR_Table_of_Contents
>
> What we are doing by now is discussing a concise set of categories for each
> topic, based on left side of this mindmap:
> https://www.owasp.org/images/e/ef/OWASP_ASDR.jpeg, that should be used to
> classify all articles in ASDR. This was made considering Cigital/McGraw's
> kingdom concepts among other existent taxonomies (CWE, CVE, etc).
>
> As Jeff pointed out, it's really dificult to define something that can
> handle everything into a unique taxonomy, what we are trying to do is making
> it as comprehensive as we can without overlaping.
>
> Any comment regarding above classification is much desired!
> Best,
> Leo
>
>
> On Tue, Dec 16, 2008 at 9:10 AM, Stephen Craig Evans <
> stephencraig.evans at gmail.com> wrote:
>
>> So, you are saying that the Fortify document donated to OWASP was
>> never updated and it's not open to the public? Where is it?
>>
>> I don't understand how you can do metrics (or reporting) without a
>> taxonomy.
>>
>> Cheers,
>> Stephen
>>
>> On Tue, Dec 16, 2008 at 6:35 AM, Jeff Williams <jeff.williams at owasp.org>
>> wrote:
>> > The idea behind the honeycomb project and later the ASDR is that there
>> is no
>> > strict taxonomy that will suit all needs for organizing vulnerabilities.
>> > There are several reasons that you can't fit all these things into a
>> > taxonomy:
>> >  - Vulnerabilities chain together (no canonicalization -> blacklist
>> input
>> > validation -> no output encoding -> injection)
>> >  - Vulnerabilities are at different levels (lack of input validation vs.
>> > null-byte injection)
>> >  - Vulnerabilities overlap (CSRF authentication or authorization)
>> >  - The same vulnerability can have wildly different threats and impacts
>> > associated with it
>> >  - there are more...
>> >
>> > In the most recent incarnations of the ASDR and the 3 Guides, we're
>> taking a
>> > more positive approach, organizing around security controls.  I
>> recommend
>> > working with Leo to match the structure that he's come up with for the
>> ASDR.
>> >
>> > --Jeff
>> >
>> > -----Original Message-----
>> > From: owasp-leaders-bounces at lists.owasp.org
>> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen
>> Craig
>> > Evans
>> > Sent: Monday, December 15, 2008 1:36 PM
>> > To: Owasp leaders
>> > Subject: [Owasp-leaders] OWASP vulnerability taxonomy - does it exist or
>> > not?
>> >
>> > Hi,
>> >
>> > Fortify & Gary McGraw donated a vulnerability taxonomy to the OWASP
>> > Honeycomb Project, which seems to have been quickly absorbed by the
>> > ASDR project.
>> >
>> > I have kindly asked for a definitive taxonomy - it doesn't have to be
>> > Kingdom-Category-Subcategory as originally proposed - but what I have
>> > received so far is "check this for an example". That's not good
>> > enough.
>> >
>> > I want to use an OWASP-created  or -endorsed taxonomy. No beating
>> > around the bush: does it exist or not? If it does (or partially),
>> > please send it to me. If it doesn't, I'll make up something on my own.
>> >
>> > Thanks in advance,
>> > Stephen
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20081216/f3734cc2/attachment.html 


More information about the OWASP-Leaders mailing list