[Owasp-leaders] Common webapplication vulnerabilitynamingstandard

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Wed Nov 17 11:01:40 EST 2010


I think we need a project to sync those projects :)
 
You know, I see a lot of valuable ideas each on it's own direction. All pointing to better Web App Sec, but with different angles. Usually at corporate levels an strategy can be appointed to define a vision or common goal, why not creating one vision around vulnerabilities at OWASP, including management, reporting, classification, etc.?
 
Regards,
Juan C Calderon


________________________________

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Anurag Agarwal
Sent: Miércoles, 17 de Noviembre de 2010 08:33 a.m.
To: owasp-leaders at lists.owasp.org
Cc: 'Turpin, Keith N'
Subject: Re: [Owasp-leaders] Common webapplication vulnerabilitynamingstandard



Dave - OWASP common numbering scheme is separately aligned to all the guides but matteo, eoin and myself are meeting this Thursday 1pm EST to discuss and we will certainly take this as an action item.

 

Daniel - I would love for you to join us on skype tomorrow. You can get an idea about what we are doing and see if it is along the lines of what you are trying to do. We are getting the vulnerabilities from various sources including CWE, OWASP, WASC TC, OWASP TG, OWASP DG, OWASP CRG, etc.

 

Thanks

Anurag

 

 

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dave Wichers
Sent: Wednesday, November 17, 2010 9:05 AM
To: owasp-leaders at lists.owasp.org
Cc: Turpin, Keith N
Subject: Re: [Owasp-leaders] Common web application vulnerabilitynamingstandard

 

Related to that. Are you guys planning on using or updating the initial start at this that Mike B. developed at: http://www.owasp.org/index.php/Common_OWASP_Numbering??

 

I was hoping that this page would ultimately contain this common numbering scheme across all the guides and it would be based on ASVS actually. And now there is the new OWASP Secure Coding Practices Quick Reference Guide from Keith Turpin of Boeing where he has been trying to align ASVS and his guide, and he and I were hoping that 'this' alignment between the two could serve as the cross reference list for the three guides since Keith's list is more complete than the ASVS.

 

Can I ask that the 3 of you coordinate with him on this??

 

Thanks, Dave

 

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, November 17, 2010 8:55 AM
To: owasp-leaders at lists.owasp.org
Cc: Steven M. Christey
Subject: Re: [Owasp-leaders] Common web application vulnerabilitynamingstandard

 

There is an OWASP project Matteo, Anurag and myself are working on: "The OWASP common vulnerability list" which an attempt to consolidate the TG, Dev and CRG lists with WASC, SANS, CWE etc



 

On 17 November 2010 13:48, Dave Wichers <dave.wichers at aspectsecurity.com> wrote:

Check out MITRE's CWE (Common Weakness Enumeration) (http://cwe.mitre.org/). That's much more detailed but not web focused. It 'may' have stuff you can use/extract, or maybe you could work with them to get CWE to provide what you want without creating yet another taxonomy.

 

I have cc'd Steve Christey who is heavily involved in that project at MITRE.

 

I also wonder how this list of 'vulnerabilities' would correlate to the 'requirements' listed in the OWASP ASVS? I wonder if OWASP could use that as a guide for such a taxonomy.

 

-Dave

 

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of daniel cuthbert
Sent: Wednesday, November 17, 2010 5:45 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Common web application vulnerability namingstandard

 

Yes and no. Whilst the WASC Threat Classification is indeed a step in the right direction, it's still incredibly high-level. 

 

Take WASC-01: Insufficient Authentication.

 

Now this is great, it gives the viewer a better understanding of the initial high-level issue with authentication but falls short of explaining the vulns normally found such as:

 

- user enumeration via the authentication mechanism

- information leakage via the forgotten password function

- DoS attacks aimed at account lockout procedure

 and so on.

 

I guess what I want doesn't currently exist in the public domain. I know many have a private one, so this seems like a great time to start said project. 

 

 

On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org> wrote:


WASC Threat Classification?

http://projects.webappsec.org/w/page/13246978/Threat-Classification


On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:

> hey Leaders,
>
> I'm busy with potentially a new project for OWASP that tries to create a standard set of web app vulnerability names to be used during the reporting phase. In most cases, we all find the same issues but differ when it comes to the approach taken when reporting them. I feel that this sometimes has the ability to confuse clients, especially those using multiple vendors to perform assessments.
>
> With this in mind, can anyone share links of common web application vulnerability lists they know of? I'm trying to build up as many sources before I try and build up an OWASP document.
>
> Merce,
>
> Daniel

> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.869 / Virus Database: 271.1.1/3260 - Release Date: 11/16/10 02:34:00

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101117/7d023075/attachment.html 


More information about the OWASP-Leaders mailing list