[Owasp-leaders] Common web application vulnerability namingstandard

Eoin eoin.keary at owasp.org
Wed Nov 17 08:54:45 EST 2010


There is an OWASP project Matteo, Anurag and myself are working on: "The
OWASP common vulnerability list" which an attempt to consolidate the TG, Dev
and CRG lists with WASC, SANS, CWE etc



On 17 November 2010 13:48, Dave Wichers <dave.wichers at aspectsecurity.com>wrote:

>  Check out MITRE’s CWE (Common Weakness Enumeration) (
> http://cwe.mitre.org/). That’s much more detailed but not web focused. It
> ‘may’ have stuff you can use/extract, or maybe you could work with them to
> get CWE to provide what you want without creating yet another taxonomy.
>
>
>
> I have cc’d Steve Christey who is heavily involved in that project at
> MITRE.
>
>
>
> I also wonder how this list of ‘vulnerabilities’ would correlate to the
> ‘requirements’ listed in the OWASP ASVS? I wonder if OWASP could use that as
> a guide for such a taxonomy.
>
>
>
> -Dave
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *daniel cuthbert
> *Sent:* Wednesday, November 17, 2010 5:45 AM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Common web application vulnerability
> namingstandard
>
>
>
> Yes and no. Whilst the WASC Threat Classification is indeed a step in the
> right direction, it's still incredibly high-level.
>
>
>
> Take WASC-01: Insufficient Authentication.
>
>
>
> Now this is great, it gives the viewer a better understanding of the
> initial high-level issue with authentication but falls short of explaining
> the vulns normally found such as:
>
>
>
> - user enumeration via the authentication mechanism
>
> - information leakage via the forgotten password function
>
> - DoS attacks aimed at account lockout procedure
>
>  and so on.
>
>
>
> I guess what I want doesn't currently exist in the public domain. I know
> many have a private one, so this seems like a great time to start said
> project.
>
>
>
>
>
> On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org>
> wrote:
>
>
> WASC Threat Classification?
>
> http://projects.webappsec.org/w/page/13246978/Threat-Classification
>
>
> On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:
>
> > hey Leaders,
> >
> > I'm busy with potentially a new project for OWASP that tries to create a
> standard set of web app vulnerability names to be used during the reporting
> phase. In most cases, we all find the same issues but differ when it comes
> to the approach taken when reporting them. I feel that this sometimes has
> the ability to confuse clients, especially those using multiple vendors to
> perform assessments.
> >
> > With this in mind, can anyone share links of common web application
> vulnerability lists they know of? I'm trying to build up as many sources
> before I try and build up an OWASP document.
> >
> > Merce,
> >
> > Daniel
>
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101117/7cf99827/attachment.html 


More information about the OWASP-Leaders mailing list