[Owasp-leaders] Common web application vulnerabilitynamingstandard

Anurag Agarwal anurag.agarwal at yahoo.com
Wed Nov 17 09:32:44 EST 2010


Dave - OWASP common numbering scheme is separately aligned to all the guides
but matteo, eoin and myself are meeting this Thursday 1pm EST to discuss and
we will certainly take this as an action item.

 

Daniel - I would love for you to join us on skype tomorrow. You can get an
idea about what we are doing and see if it is along the lines of what you
are trying to do. We are getting the vulnerabilities from various sources
including CWE, OWASP, WASC TC, OWASP TG, OWASP DG, OWASP CRG, etc.

 

Thanks

Anurag

 

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dave Wichers
Sent: Wednesday, November 17, 2010 9:05 AM
To: owasp-leaders at lists.owasp.org
Cc: Turpin, Keith N
Subject: Re: [Owasp-leaders] Common web application
vulnerabilitynamingstandard

 

Related to that. Are you guys planning on using or updating the initial
start at this that Mike B. developed at:
http://www.owasp.org/index.php/Common_OWASP_Numbering??

 

I was hoping that this page would ultimately contain this common numbering
scheme across all the guides and it would be based on ASVS actually. And now
there is the new OWASP Secure Coding Practices Quick Reference Guide from
Keith Turpin of Boeing where he has been trying to align ASVS and his guide,
and he and I were hoping that 'this' alignment between the two could serve
as the cross reference list for the three guides since Keith's list is more
complete than the ASVS.

 

Can I ask that the 3 of you coordinate with him on this??

 

Thanks, Dave

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, November 17, 2010 8:55 AM
To: owasp-leaders at lists.owasp.org
Cc: Steven M. Christey
Subject: Re: [Owasp-leaders] Common web application
vulnerabilitynamingstandard

 

There is an OWASP project Matteo, Anurag and myself are working on: "The
OWASP common vulnerability list" which an attempt to consolidate the TG, Dev
and CRG lists with WASC, SANS, CWE etc



 

On 17 November 2010 13:48, Dave Wichers <dave.wichers at aspectsecurity.com>
wrote:

Check out MITRE's CWE (Common Weakness Enumeration) (http://cwe.mitre.org/).
That's much more detailed but not web focused. It 'may' have stuff you can
use/extract, or maybe you could work with them to get CWE to provide what
you want without creating yet another taxonomy.

 

I have cc'd Steve Christey who is heavily involved in that project at MITRE.

 

I also wonder how this list of 'vulnerabilities' would correlate to the
'requirements' listed in the OWASP ASVS? I wonder if OWASP could use that as
a guide for such a taxonomy.

 

-Dave

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of daniel cuthbert
Sent: Wednesday, November 17, 2010 5:45 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Common web application vulnerability
namingstandard

 

Yes and no. Whilst the WASC Threat Classification is indeed a step in the
right direction, it's still incredibly high-level. 

 

Take WASC-01: Insufficient Authentication.

 

Now this is great, it gives the viewer a better understanding of the initial
high-level issue with authentication but falls short of explaining the vulns
normally found such as:

 

- user enumeration via the authentication mechanism

- information leakage via the forgotten password function

- DoS attacks aimed at account lockout procedure

 and so on.

 

I guess what I want doesn't currently exist in the public domain. I know
many have a private one, so this seems like a great time to start said
project. 

 

 

On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org>
wrote:


WASC Threat Classification?

http://projects.webappsec.org/w/page/13246978/Threat-Classification


On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:

> hey Leaders,
>
> I'm busy with potentially a new project for OWASP that tries to create a
standard set of web app vulnerability names to be used during the reporting
phase. In most cases, we all find the same issues but differ when it comes
to the approach taken when reporting them. I feel that this sometimes has
the ability to confuse clients, especially those using multiple vendors to
perform assessments.
>
> With this in mind, can anyone share links of common web application
vulnerability lists they know of? I'm trying to build up as many sources
before I try and build up an OWASP document.
>
> Merce,
>
> Daniel

> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.869 / Virus Database: 271.1.1/3260 - Release Date: 11/16/10
02:34:00

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101117/64ef3e7c/attachment-0001.html 


More information about the OWASP-Leaders mailing list