[Owasp-leaders] Common web application vulnerability naming standard

daniel cuthbert daniel.cuthbert at owasp.org
Wed Nov 17 07:40:02 EST 2010


Having just spent the past hour looking at both CWE and CAPEC, CAPEC does
seem to fit in more with the direction im going. Giving your pdf a good read
now, thanks for pointing that out (must have missed that on my travels)



On 17 November 2010 14:26, Dan Cornell <dan at denimgroup.com> wrote:

>  Is MITRE’s CWE (Common Weakness Enumeration) or CAPEC (Common Attack
> Pattern Enumeration and Classification) what you’re looking for?
>
>
>
> CWE is similar to the WASC classification but _*much*_ more granular.  A
> while back I put together some mappings between CWE and WASC (and OWASP Top
> 10) here:
>
>
> http://blog.denimgroup.com/denim_group/2010/01/mapping-between-owasp-top-10-2004-2007-wasc-242-and-sans-cwe25.html
>
>
>
> However, given the examples below the CAPEC might be the more applicable.
>
>
>
> Thanks,
>
>
>
> Dan
>
>
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *daniel cuthbert
> *Sent:* Wednesday, November 17, 2010 4:45 AM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Common web application vulnerability naming
> standard
>
>
>
> Yes and no. Whilst the WASC Threat Classification is indeed a step in the
> right direction, it's still incredibly high-level.
>
>
>
> Take WASC-01: Insufficient Authentication.
>
>
>
> Now this is great, it gives the viewer a better understanding of the
> initial high-level issue with authentication but falls short of explaining
> the vulns normally found such as:
>
>
>
> - user enumeration via the authentication mechanism
>
> - information leakage via the forgotten password function
>
> - DoS attacks aimed at account lockout procedure
>
>  and so on.
>
>
>
> I guess what I want doesn't currently exist in the public domain. I know
> many have a private one, so this seems like a great time to start said
> project.
>
>
>
>
>
> On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org>
> wrote:
>
>
> WASC Threat Classification?
>
> http://projects.webappsec.org/w/page/13246978/Threat-Classification
>
>
> On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:
>
> > hey Leaders,
> >
> > I'm busy with potentially a new project for OWASP that tries to create a
> standard set of web app vulnerability names to be used during the reporting
> phase. In most cases, we all find the same issues but differ when it comes
> to the approach taken when reporting them. I feel that this sometimes has
> the ability to confuse clients, especially those using multiple vendors to
> perform assessments.
> >
> > With this in mind, can anyone share links of common web application
> vulnerability lists they know of? I'm trying to build up as many sources
> before I try and build up an OWASP document.
> >
> > Merce,
> >
> > Daniel
>
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101117/5ce4ce39/attachment.html 


More information about the OWASP-Leaders mailing list