[Owasp-leaders] Common web application vulnerability naming standard

Dan Cornell dan at denimgroup.com
Wed Nov 17 07:26:33 EST 2010


Is MITRE's CWE (Common Weakness Enumeration) or CAPEC (Common Attack Pattern Enumeration and Classification) what you're looking for?

CWE is similar to the WASC classification but _much_ more granular.  A while back I put together some mappings between CWE and WASC (and OWASP Top 10) here:
http://blog.denimgroup.com/denim_group/2010/01/mapping-between-owasp-top-10-2004-2007-wasc-242-and-sans-cwe25.html

However, given the examples below the CAPEC might be the more applicable.

Thanks,

Dan


From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of daniel cuthbert
Sent: Wednesday, November 17, 2010 4:45 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Common web application vulnerability naming standard

Yes and no. Whilst the WASC Threat Classification is indeed a step in the right direction, it's still incredibly high-level.

Take WASC-01: Insufficient Authentication.

Now this is great, it gives the viewer a better understanding of the initial high-level issue with authentication but falls short of explaining the vulns normally found such as:

- user enumeration via the authentication mechanism
- information leakage via the forgotten password function
- DoS attacks aimed at account lockout procedure
 and so on.

I guess what I want doesn't currently exist in the public domain. I know many have a private one, so this seems like a great time to start said project.


On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org<mailto:stephen at twisteddelight.org>> wrote:

WASC Threat Classification?

http://projects.webappsec.org/w/page/13246978/Threat-Classification

On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:

> hey Leaders,
>
> I'm busy with potentially a new project for OWASP that tries to create a standard set of web app vulnerability names to be used during the reporting phase. In most cases, we all find the same issues but differ when it comes to the approach taken when reporting them. I feel that this sometimes has the ability to confuse clients, especially those using multiple vendors to perform assessments.
>
> With this in mind, can anyone share links of common web application vulnerability lists they know of? I'm trying to build up as many sources before I try and build up an OWASP document.
>
> Merce,
>
> Daniel
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101117/5080fb95/attachment-0001.html 


More information about the OWASP-Leaders mailing list