[Owasp-leaders] OWASP vulnerability taxonomy - does it existornot?

Jim Manico jim.manico at aspectsecurity.com
Thu Dec 18 17:43:29 EST 2008


> I'm not familiar with the technology used for the first podcast

The first podcast used a free conference call servive that saved the
conversation as a low quality wav (30mb for one hour).

I'm moving away from that for podcast #2 and beyond. 

I'm now using 
	* Skype and the SkyIN (service so folks can call me directly via
a normal LA phone number (213 985 1930 sorry, no toll free # yet,
5$/month for the phone number, 3$ month for basic service) or contact me
directly via skype (jmanico). 
	* I'm recording with MX Skype Recorder (15$ one-time cost,
recording mono high quality WAV files[10mb every few seconds]). 
	* Creating intro music with Garage Band (free with crapple
products)
	* Doing basic editorial chopping work with SoundForge (my task
with my personal licensed copy)
	* Doing final producing with a loaded Pro Tools LE rig (my
assistant producers task with his licensed rig).

- Jim

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Blake
Cornell
Sent: Thursday, December 18, 2008 5:05 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP vulnerability taxonomy - does it
existornot?

Hello All,

I'm not familiar with the technology used for the first podcast.  If
anyone
is familiar with the implementation used please let me know some specs.
It
would allow me to tune potential requirements.

I've mocked up podcast workflows with Asterisk in the past.  My
perceived
ideal implementation of a modular and extensible podcast
integration/workflow goes roughly as follows.

A podcast's participants require easy accessibility and availability.
This
can be accomplished by distributing an 800 number to a remotely hosted
conferencing server.  Utilizing a simple web app we could authenticate,
create and delete valid conference codes.  The system would
automatically
record all calls while following current legal practices (ensure
continuous
beeping for international needs as well as a 'for training purposes'
message
when required).  This audio data can then be delivered in mp3 format to
an
email address or by download within the web application.
 
The only technical requirements to accomplish these tasks would include
hosting a PBX server running Asterisk+LAMP (root pref), an 800 number
and
termination services.

The 800 number is arguable.  Obtaining a "local area" code over IP is
pretty
easy.  Using a 1+212 country/area code would lower costs by eliminating
destination calling costs.  All inbound calls could then be free.
Having an
800 number could be considered as an exception.

As far as implementing Asterisk to do all of this, I can take the
responsibility of that.  This can be done on the cheap easily while
creating
extensible, flexible, configurable and shareable opportunities.

Thoughts?

Regards,

Blake Cornell

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Leonardo
Cavallari Militelli
Sent: Thursday, December 18, 2008 9:36 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP vulnerability taxonomy - does it
exist
ornot?

Stephen, I'll consider your points for the final version of
categorization.Tks.

>After
> that, it got moved to the wiki and many more vulns and categories were
added
> (some overlapping) to create the current OWASP Vulnerability category
> (http://www.owasp.org/index.php/Category:Vulnerability).

There's still much to do in this category as we have +300 stub/weak
contents articles. Just to let you know, I had defined this new
template for vulnerability articles
(https://www.owasp.org/index.php/Vulnerability_template) that
comprehend mostly all needs.

For early next year, I'll recruit a task force team to produce and
review a set of most usefull/important articles. Any one interested on
helping this out?

Leo

> The folks at MITRE (and many security product/consulting companies)
have
> been pushing the CWE for use as a standard taxonomy for 'bad stuff
that
> software have'.
> p.
>
> On Tue, Dec 16, 2008 at 4:38 AM, Leonardo Cavallari Militelli
> <leonardocavallari at gmail.com> wrote:
>>
>> Hello Stephen,
>>
>> Actually, Fortify's and other donated contents are being updated by
ASDR
>> Project. Everything is open and can be accesses thru this page:
>> https://www.owasp.org/index.php/ASDR_Table_of_Contents
>>
>> What we are doing by now is discussing a concise set of categories
for
>> each topic, based on left side of this mindmap:
>> https://www.owasp.org/images/e/ef/OWASP_ASDR.jpeg, that should be
used to
>> classify all articles in ASDR. This was made considering
Cigital/McGraw's
>> kingdom concepts among other existent taxonomies (CWE, CVE, etc).
>>
>> As Jeff pointed out, it's really dificult to define something that
can
>> handle everything into a unique taxonomy, what we are trying to do is
making
>> it as comprehensive as we can without overlaping.
>>
>> Any comment regarding above classification is much desired!
>> Best,
>> Leo
>>
>>
>> On Tue, Dec 16, 2008 at 9:10 AM, Stephen Craig Evans
>> <stephencraig.evans at gmail.com> wrote:
>>>
>>> So, you are saying that the Fortify document donated to OWASP was
>>> never updated and it's not open to the public? Where is it?
>>>
>>> I don't understand how you can do metrics (or reporting) without a
>>> taxonomy.
>>>
>>> Cheers,
>>> Stephen
>>>
>>> On Tue, Dec 16, 2008 at 6:35 AM, Jeff Williams
<jeff.williams at owasp.org>
>>> wrote:
>>> > The idea behind the honeycomb project and later the ASDR is that
there
>>> > is no
>>> > strict taxonomy that will suit all needs for organizing
>>> > vulnerabilities.
>>> > There are several reasons that you can't fit all these things into
a
>>> > taxonomy:
>>> >  - Vulnerabilities chain together (no canonicalization ->
blacklist
>>> > input
>>> > validation -> no output encoding -> injection)
>>> >  - Vulnerabilities are at different levels (lack of input
validation
>>> > vs.
>>> > null-byte injection)
>>> >  - Vulnerabilities overlap (CSRF authentication or authorization)
>>> >  - The same vulnerability can have wildly different threats and
impacts
>>> > associated with it
>>> >  - there are more...
>>> >
>>> > In the most recent incarnations of the ASDR and the 3 Guides,
we're
>>> > taking a
>>> > more positive approach, organizing around security controls.  I
>>> > recommend
>>> > working with Leo to match the structure that he's come up with for
the
>>> > ASDR.
>>> >
>>> > --Jeff
>>> >
>>> > -----Original Message-----
>>> > From: owasp-leaders-bounces at lists.owasp.org
>>> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
Stephen
>>> > Craig
>>> > Evans
>>> > Sent: Monday, December 15, 2008 1:36 PM
>>> > To: Owasp leaders
>>> > Subject: [Owasp-leaders] OWASP vulnerability taxonomy - does it
exist
>>> > or
>>> > not?
>>> >
>>> > Hi,
>>> >
>>> > Fortify & Gary McGraw donated a vulnerability taxonomy to the
OWASP
>>> > Honeycomb Project, which seems to have been quickly absorbed by
the
>>> > ASDR project.
>>> >
>>> > I have kindly asked for a definitive taxonomy - it doesn't have to
be
>>> > Kingdom-Category-Subcategory as originally proposed - but what I
have
>>> > received so far is "check this for an example". That's not good
>>> > enough.
>>> >
>>> > I want to use an OWASP-created  or -endorsed taxonomy. No beating
>>> > around the bush: does it exist or not? If it does (or partially),
>>> > please send it to me. If it doesn't, I'll make up something on my
own.
>>> >
>>> > Thanks in advance,
>>> > Stephen
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
> Pravir Chandra                      chandra<at>list<dot>org
> PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
> ~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list