[Owasp-leaders] Common web application vulnerabilitynamingstandard

Dave Wichers dave.wichers at aspectsecurity.com
Wed Nov 17 09:04:52 EST 2010


Related to that. Are you guys planning on using or updating the initial
start at this that Mike B. developed at:
http://www.owasp.org/index.php/Common_OWASP_Numbering??

 

I was hoping that this page would ultimately contain this common
numbering scheme across all the guides and it would be based on ASVS
actually. And now there is the new OWASP Secure Coding Practices Quick
Reference Guide from Keith Turpin of Boeing where he has been trying to
align ASVS and his guide, and he and I were hoping that 'this' alignment
between the two could serve as the cross reference list for the three
guides since Keith's list is more complete than the ASVS.

 

Can I ask that the 3 of you coordinate with him on this??

 

Thanks, Dave

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, November 17, 2010 8:55 AM
To: owasp-leaders at lists.owasp.org
Cc: Steven M. Christey
Subject: Re: [Owasp-leaders] Common web application
vulnerabilitynamingstandard

 

There is an OWASP project Matteo, Anurag and myself are working on: "The
OWASP common vulnerability list" which an attempt to consolidate the TG,
Dev and CRG lists with WASC, SANS, CWE etc



 

On 17 November 2010 13:48, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:

Check out MITRE's CWE (Common Weakness Enumeration)
(http://cwe.mitre.org/). That's much more detailed but not web focused.
It 'may' have stuff you can use/extract, or maybe you could work with
them to get CWE to provide what you want without creating yet another
taxonomy.

 

I have cc'd Steve Christey who is heavily involved in that project at
MITRE.

 

I also wonder how this list of 'vulnerabilities' would correlate to the
'requirements' listed in the OWASP ASVS? I wonder if OWASP could use
that as a guide for such a taxonomy.

 

-Dave

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of daniel
cuthbert
Sent: Wednesday, November 17, 2010 5:45 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Common web application vulnerability
namingstandard

 

Yes and no. Whilst the WASC Threat Classification is indeed a step in
the right direction, it's still incredibly high-level. 

 

Take WASC-01: Insufficient Authentication.

 

Now this is great, it gives the viewer a better understanding of the
initial high-level issue with authentication but falls short of
explaining the vulns normally found such as:

 

- user enumeration via the authentication mechanism

- information leakage via the forgotten password function

- DoS attacks aimed at account lockout procedure

 and so on.

 

I guess what I want doesn't currently exist in the public domain. I know
many have a private one, so this seems like a great time to start said
project. 

 

 

On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org>
wrote:


WASC Threat Classification?

http://projects.webappsec.org/w/page/13246978/Threat-Classification


On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:

> hey Leaders,
>
> I'm busy with potentially a new project for OWASP that tries to create
a standard set of web app vulnerability names to be used during the
reporting phase. In most cases, we all find the same issues but differ
when it comes to the approach taken when reporting them. I feel that
this sometimes has the ability to confuse clients, especially those
using multiple vendors to perform assessments.
>
> With this in mind, can anyone share links of common web application
vulnerability lists they know of? I'm trying to build up as many sources
before I try and build up an OWASP document.
>
> Merce,
>
> Daniel

> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101117/9dca7813/attachment-0001.html 


More information about the OWASP-Leaders mailing list