[Owasp-leaders] OWASP vulnerability taxonomy - does it exist ornot?

Blake Cornell blake at owasp.org
Thu Dec 18 17:05:07 EST 2008


Hello All,

I'm not familiar with the technology used for the first podcast.  If anyone
is familiar with the implementation used please let me know some specs.  It
would allow me to tune potential requirements.

I've mocked up podcast workflows with Asterisk in the past.  My perceived
ideal implementation of a modular and extensible podcast
integration/workflow goes roughly as follows.

A podcast's participants require easy accessibility and availability.  This
can be accomplished by distributing an 800 number to a remotely hosted
conferencing server.  Utilizing a simple web app we could authenticate,
create and delete valid conference codes.  The system would automatically
record all calls while following current legal practices (ensure continuous
beeping for international needs as well as a 'for training purposes' message
when required).  This audio data can then be delivered in mp3 format to an
email address or by download within the web application.
 
The only technical requirements to accomplish these tasks would include
hosting a PBX server running Asterisk+LAMP (root pref), an 800 number and
termination services.

The 800 number is arguable.  Obtaining a "local area" code over IP is pretty
easy.  Using a 1+212 country/area code would lower costs by eliminating
destination calling costs.  All inbound calls could then be free.  Having an
800 number could be considered as an exception.

As far as implementing Asterisk to do all of this, I can take the
responsibility of that.  This can be done on the cheap easily while creating
extensible, flexible, configurable and shareable opportunities.

Thoughts?

Regards,

Blake Cornell

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Leonardo
Cavallari Militelli
Sent: Thursday, December 18, 2008 9:36 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP vulnerability taxonomy - does it exist
ornot?

Stephen, I'll consider your points for the final version of
categorization.Tks.

>After
> that, it got moved to the wiki and many more vulns and categories were
added
> (some overlapping) to create the current OWASP Vulnerability category
> (http://www.owasp.org/index.php/Category:Vulnerability).

There's still much to do in this category as we have +300 stub/weak
contents articles. Just to let you know, I had defined this new
template for vulnerability articles
(https://www.owasp.org/index.php/Vulnerability_template) that
comprehend mostly all needs.

For early next year, I'll recruit a task force team to produce and
review a set of most usefull/important articles. Any one interested on
helping this out?

Leo

> The folks at MITRE (and many security product/consulting companies) have
> been pushing the CWE for use as a standard taxonomy for 'bad stuff that
> software have'.
> p.
>
> On Tue, Dec 16, 2008 at 4:38 AM, Leonardo Cavallari Militelli
> <leonardocavallari at gmail.com> wrote:
>>
>> Hello Stephen,
>>
>> Actually, Fortify's and other donated contents are being updated by ASDR
>> Project. Everything is open and can be accesses thru this page:
>> https://www.owasp.org/index.php/ASDR_Table_of_Contents
>>
>> What we are doing by now is discussing a concise set of categories for
>> each topic, based on left side of this mindmap:
>> https://www.owasp.org/images/e/ef/OWASP_ASDR.jpeg, that should be used to
>> classify all articles in ASDR. This was made considering Cigital/McGraw's
>> kingdom concepts among other existent taxonomies (CWE, CVE, etc).
>>
>> As Jeff pointed out, it's really dificult to define something that can
>> handle everything into a unique taxonomy, what we are trying to do is
making
>> it as comprehensive as we can without overlaping.
>>
>> Any comment regarding above classification is much desired!
>> Best,
>> Leo
>>
>>
>> On Tue, Dec 16, 2008 at 9:10 AM, Stephen Craig Evans
>> <stephencraig.evans at gmail.com> wrote:
>>>
>>> So, you are saying that the Fortify document donated to OWASP was
>>> never updated and it's not open to the public? Where is it?
>>>
>>> I don't understand how you can do metrics (or reporting) without a
>>> taxonomy.
>>>
>>> Cheers,
>>> Stephen
>>>
>>> On Tue, Dec 16, 2008 at 6:35 AM, Jeff Williams <jeff.williams at owasp.org>
>>> wrote:
>>> > The idea behind the honeycomb project and later the ASDR is that there
>>> > is no
>>> > strict taxonomy that will suit all needs for organizing
>>> > vulnerabilities.
>>> > There are several reasons that you can't fit all these things into a
>>> > taxonomy:
>>> >  - Vulnerabilities chain together (no canonicalization -> blacklist
>>> > input
>>> > validation -> no output encoding -> injection)
>>> >  - Vulnerabilities are at different levels (lack of input validation
>>> > vs.
>>> > null-byte injection)
>>> >  - Vulnerabilities overlap (CSRF authentication or authorization)
>>> >  - The same vulnerability can have wildly different threats and
impacts
>>> > associated with it
>>> >  - there are more...
>>> >
>>> > In the most recent incarnations of the ASDR and the 3 Guides, we're
>>> > taking a
>>> > more positive approach, organizing around security controls.  I
>>> > recommend
>>> > working with Leo to match the structure that he's come up with for the
>>> > ASDR.
>>> >
>>> > --Jeff
>>> >
>>> > -----Original Message-----
>>> > From: owasp-leaders-bounces at lists.owasp.org
>>> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen
>>> > Craig
>>> > Evans
>>> > Sent: Monday, December 15, 2008 1:36 PM
>>> > To: Owasp leaders
>>> > Subject: [Owasp-leaders] OWASP vulnerability taxonomy - does it exist
>>> > or
>>> > not?
>>> >
>>> > Hi,
>>> >
>>> > Fortify & Gary McGraw donated a vulnerability taxonomy to the OWASP
>>> > Honeycomb Project, which seems to have been quickly absorbed by the
>>> > ASDR project.
>>> >
>>> > I have kindly asked for a definitive taxonomy - it doesn't have to be
>>> > Kingdom-Category-Subcategory as originally proposed - but what I have
>>> > received so far is "check this for an example". That's not good
>>> > enough.
>>> >
>>> > I want to use an OWASP-created  or -endorsed taxonomy. No beating
>>> > around the bush: does it exist or not? If it does (or partially),
>>> > please send it to me. If it doesn't, I'll make up something on my own.
>>> >
>>> > Thanks in advance,
>>> > Stephen
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
> Pravir Chandra                      chandra<at>list<dot>org
> PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
> ~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list