[Owasp-leaders] Common web application vulnerability naming standard
dan at denimgroup.com
Wed Nov 17 07:26:33 EST 2010
Is MITRE's CWE (Common Weakness Enumeration) or CAPEC (Common Attack Pattern Enumeration and Classification) what you're looking for?
CWE is similar to the WASC classification but _much_ more granular. A while back I put together some mappings between CWE and WASC (and OWASP Top 10) here:
However, given the examples below the CAPEC might be the more applicable.
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of daniel cuthbert
Sent: Wednesday, November 17, 2010 4:45 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Common web application vulnerability naming standard
Yes and no. Whilst the WASC Threat Classification is indeed a step in the right direction, it's still incredibly high-level.
Take WASC-01: Insufficient Authentication.
Now this is great, it gives the viewer a better understanding of the initial high-level issue with authentication but falls short of explaining the vulns normally found such as:
- user enumeration via the authentication mechanism
- information leakage via the forgotten password function
- DoS attacks aimed at account lockout procedure
and so on.
I guess what I want doesn't currently exist in the public domain. I know many have a private one, so this seems like a great time to start said project.
On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org<mailto:stephen at twisteddelight.org>> wrote:
WASC Threat Classification?
On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:
> hey Leaders,
> I'm busy with potentially a new project for OWASP that tries to create a standard set of web app vulnerability names to be used during the reporting phase. In most cases, we all find the same issues but differ when it comes to the approach taken when reporting them. I feel that this sometimes has the ability to confuse clients, especially those using multiple vendors to perform assessments.
> With this in mind, can anyone share links of common web application vulnerability lists they know of? I'm trying to build up as many sources before I try and build up an OWASP document.
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders