[Owasp-leaders] OWASP vulnerability taxonomy - does it exist or not?

Stephen Craig Evans stephencraig.evans at gmail.com
Wed Dec 17 01:24:48 EST 2008


Hi Leo,

Wow, that's great and the answer I was looking for. It looks like you
have your work cut out for you if the 500+ vulnerabilities in the ASDR
TOC are going to be categorized.

I really like the vulnerability categories in the Mindmap. FYI, they
map almost exactly to Symantec's proprietary Areas of Analysis (which
I assume came from @stake and it is somewhat dated) which is meant to
be kinda like a pentest checklist, which I guess is close to being a
vulnerability taxonomy.

One difference is that the AoA has a category "Data Integrity" which contains:
- Input Validation
- Client Side Validation
- Input Normalizing and Filtering
- Output Validation
- Transaction Preservation

Perhaps you could combine "Encoding" and "Input validation" into
something similar. I like to see "Output validation" listed explicitly
(a better description might be "Output sanitization") because all of
the time I run across clients that have web pages that display data
from various untrusted sources; and I see "All output must be
sanitized" in corporate secure coding guidelines. I haven't looked
into it yet in detail, but it seems that ESAPI does a pretty good job
of going over encoding and decoding. For sure, it's a headache.

Thanks,
Stephen


On Tue, Dec 16, 2008 at 8:38 PM, Leonardo Cavallari Militelli
<leonardocavallari at gmail.com> wrote:
> Hello Stephen,
>
> Actually, Fortify's and other donated contents are being updated by ASDR
> Project. Everything is open and can be accesses thru this page:
> https://www.owasp.org/index.php/ASDR_Table_of_Contents
>
> What we are doing by now is discussing a concise set of categories for each
> topic, based on left side of this mindmap:
> https://www.owasp.org/images/e/ef/OWASP_ASDR.jpeg, that should be used to
> classify all articles in ASDR. This was made considering Cigital/McGraw's
> kingdom concepts among other existent taxonomies (CWE, CVE, etc).
>
> As Jeff pointed out, it's really dificult to define something that can
> handle everything into a unique taxonomy, what we are trying to do is making
> it as comprehensive as we can without overlaping.
>
> Any comment regarding above classification is much desired!
> Best,
> Leo
>
>
> On Tue, Dec 16, 2008 at 9:10 AM, Stephen Craig Evans
> <stephencraig.evans at gmail.com> wrote:
>>
>> So, you are saying that the Fortify document donated to OWASP was
>> never updated and it's not open to the public? Where is it?
>>
>> I don't understand how you can do metrics (or reporting) without a
>> taxonomy.
>>
>> Cheers,
>> Stephen
>>
>> On Tue, Dec 16, 2008 at 6:35 AM, Jeff Williams <jeff.williams at owasp.org>
>> wrote:
>> > The idea behind the honeycomb project and later the ASDR is that there
>> > is no
>> > strict taxonomy that will suit all needs for organizing vulnerabilities.
>> > There are several reasons that you can't fit all these things into a
>> > taxonomy:
>> >  - Vulnerabilities chain together (no canonicalization -> blacklist
>> > input
>> > validation -> no output encoding -> injection)
>> >  - Vulnerabilities are at different levels (lack of input validation vs.
>> > null-byte injection)
>> >  - Vulnerabilities overlap (CSRF authentication or authorization)
>> >  - The same vulnerability can have wildly different threats and impacts
>> > associated with it
>> >  - there are more...
>> >
>> > In the most recent incarnations of the ASDR and the 3 Guides, we're
>> > taking a
>> > more positive approach, organizing around security controls.  I
>> > recommend
>> > working with Leo to match the structure that he's come up with for the
>> > ASDR.
>> >
>> > --Jeff
>> >
>> > -----Original Message-----
>> > From: owasp-leaders-bounces at lists.owasp.org
>> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen
>> > Craig
>> > Evans
>> > Sent: Monday, December 15, 2008 1:36 PM
>> > To: Owasp leaders
>> > Subject: [Owasp-leaders] OWASP vulnerability taxonomy - does it exist or
>> > not?
>> >
>> > Hi,
>> >
>> > Fortify & Gary McGraw donated a vulnerability taxonomy to the OWASP
>> > Honeycomb Project, which seems to have been quickly absorbed by the
>> > ASDR project.
>> >
>> > I have kindly asked for a definitive taxonomy - it doesn't have to be
>> > Kingdom-Category-Subcategory as originally proposed - but what I have
>> > received so far is "check this for an example". That's not good
>> > enough.
>> >
>> > I want to use an OWASP-created  or -endorsed taxonomy. No beating
>> > around the bush: does it exist or not? If it does (or partially),
>> > please send it to me. If it doesn't, I'll make up something on my own.
>> >
>> > Thanks in advance,
>> > Stephen
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


More information about the OWASP-Leaders mailing list