[Owasp-leaders] OWASP vulnerability taxonomy - does it exist or not?

Leonardo Cavallari Militelli leonardocavallari at gmail.com
Thu Dec 18 09:35:32 EST 2008


Stephen, I'll consider your points for the final version of categorization.Tks.

>After
> that, it got moved to the wiki and many more vulns and categories were added
> (some overlapping) to create the current OWASP Vulnerability category
> (http://www.owasp.org/index.php/Category:Vulnerability).

There's still much to do in this category as we have +300 stub/weak
contents articles. Just to let you know, I had defined this new
template for vulnerability articles
(https://www.owasp.org/index.php/Vulnerability_template) that
comprehend mostly all needs.

For early next year, I'll recruit a task force team to produce and
review a set of most usefull/important articles. Any one interested on
helping this out?

Leo

> The folks at MITRE (and many security product/consulting companies) have
> been pushing the CWE for use as a standard taxonomy for 'bad stuff that
> software have'.
> p.
>
> On Tue, Dec 16, 2008 at 4:38 AM, Leonardo Cavallari Militelli
> <leonardocavallari at gmail.com> wrote:
>>
>> Hello Stephen,
>>
>> Actually, Fortify's and other donated contents are being updated by ASDR
>> Project. Everything is open and can be accesses thru this page:
>> https://www.owasp.org/index.php/ASDR_Table_of_Contents
>>
>> What we are doing by now is discussing a concise set of categories for
>> each topic, based on left side of this mindmap:
>> https://www.owasp.org/images/e/ef/OWASP_ASDR.jpeg, that should be used to
>> classify all articles in ASDR. This was made considering Cigital/McGraw's
>> kingdom concepts among other existent taxonomies (CWE, CVE, etc).
>>
>> As Jeff pointed out, it's really dificult to define something that can
>> handle everything into a unique taxonomy, what we are trying to do is making
>> it as comprehensive as we can without overlaping.
>>
>> Any comment regarding above classification is much desired!
>> Best,
>> Leo
>>
>>
>> On Tue, Dec 16, 2008 at 9:10 AM, Stephen Craig Evans
>> <stephencraig.evans at gmail.com> wrote:
>>>
>>> So, you are saying that the Fortify document donated to OWASP was
>>> never updated and it's not open to the public? Where is it?
>>>
>>> I don't understand how you can do metrics (or reporting) without a
>>> taxonomy.
>>>
>>> Cheers,
>>> Stephen
>>>
>>> On Tue, Dec 16, 2008 at 6:35 AM, Jeff Williams <jeff.williams at owasp.org>
>>> wrote:
>>> > The idea behind the honeycomb project and later the ASDR is that there
>>> > is no
>>> > strict taxonomy that will suit all needs for organizing
>>> > vulnerabilities.
>>> > There are several reasons that you can't fit all these things into a
>>> > taxonomy:
>>> >  - Vulnerabilities chain together (no canonicalization -> blacklist
>>> > input
>>> > validation -> no output encoding -> injection)
>>> >  - Vulnerabilities are at different levels (lack of input validation
>>> > vs.
>>> > null-byte injection)
>>> >  - Vulnerabilities overlap (CSRF authentication or authorization)
>>> >  - The same vulnerability can have wildly different threats and impacts
>>> > associated with it
>>> >  - there are more...
>>> >
>>> > In the most recent incarnations of the ASDR and the 3 Guides, we're
>>> > taking a
>>> > more positive approach, organizing around security controls.  I
>>> > recommend
>>> > working with Leo to match the structure that he's come up with for the
>>> > ASDR.
>>> >
>>> > --Jeff
>>> >
>>> > -----Original Message-----
>>> > From: owasp-leaders-bounces at lists.owasp.org
>>> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen
>>> > Craig
>>> > Evans
>>> > Sent: Monday, December 15, 2008 1:36 PM
>>> > To: Owasp leaders
>>> > Subject: [Owasp-leaders] OWASP vulnerability taxonomy - does it exist
>>> > or
>>> > not?
>>> >
>>> > Hi,
>>> >
>>> > Fortify & Gary McGraw donated a vulnerability taxonomy to the OWASP
>>> > Honeycomb Project, which seems to have been quickly absorbed by the
>>> > ASDR project.
>>> >
>>> > I have kindly asked for a definitive taxonomy - it doesn't have to be
>>> > Kingdom-Category-Subcategory as originally proposed - but what I have
>>> > received so far is "check this for an example". That's not good
>>> > enough.
>>> >
>>> > I want to use an OWASP-created  or -endorsed taxonomy. No beating
>>> > around the bush: does it exist or not? If it does (or partially),
>>> > please send it to me. If it doesn't, I'll make up something on my own.
>>> >
>>> > Thanks in advance,
>>> > Stephen
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
> Pravir Chandra                      chandra<at>list<dot>org
> PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
> ~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


More information about the OWASP-Leaders mailing list