[Owasp-leaders] Common web application vulnerability namingstandard

Dave Wichers dave.wichers at aspectsecurity.com
Wed Nov 17 08:48:25 EST 2010


Check out MITRE's CWE (Common Weakness Enumeration)
(http://cwe.mitre.org/). That's much more detailed but not web focused.
It 'may' have stuff you can use/extract, or maybe you could work with
them to get CWE to provide what you want without creating yet another
taxonomy.

 

I have cc'd Steve Christey who is heavily involved in that project at
MITRE.

 

I also wonder how this list of 'vulnerabilities' would correlate to the
'requirements' listed in the OWASP ASVS? I wonder if OWASP could use
that as a guide for such a taxonomy.

 

-Dave

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of daniel
cuthbert
Sent: Wednesday, November 17, 2010 5:45 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Common web application vulnerability
namingstandard

 

Yes and no. Whilst the WASC Threat Classification is indeed a step in
the right direction, it's still incredibly high-level. 

 

Take WASC-01: Insufficient Authentication.

 

Now this is great, it gives the viewer a better understanding of the
initial high-level issue with authentication but falls short of
explaining the vulns normally found such as:

 

- user enumeration via the authentication mechanism

- information leakage via the forgotten password function

- DoS attacks aimed at account lockout procedure

 and so on.

 

I guess what I want doesn't currently exist in the public domain. I know
many have a private one, so this seems like a great time to start said
project. 

 

 

On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org>
wrote:


WASC Threat Classification?

http://projects.webappsec.org/w/page/13246978/Threat-Classification


On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:

> hey Leaders,
>
> I'm busy with potentially a new project for OWASP that tries to create
a standard set of web app vulnerability names to be used during the
reporting phase. In most cases, we all find the same issues but differ
when it comes to the approach taken when reporting them. I feel that
this sometimes has the ability to confuse clients, especially those
using multiple vendors to perform assessments.
>
> With this in mind, can anyone share links of common web application
vulnerability lists they know of? I'm trying to build up as many sources
before I try and build up an OWASP document.
>
> Merce,
>
> Daniel

> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101117/b0d44d4f/attachment-0001.html 


More information about the OWASP-Leaders mailing list