[Owasp-leaders] The OWASP Periodic Table Project

Jim Manico jim.manico at owasp.org
Tue Mar 5 20:43:41 UTC 2013


Eoin,

The OWASP Periodic Table Project is a breakdown of how to defend against a large list of very specific risks and where that defense belongs in complex software architectures (design). I have not seen work like this to date.

The breakdown is:

1) Vulnerability Type
2) Standards - how new standards can be created, or what existing standards exist to address this vulnerability type	
3) Infrastructure - infrastructure defense considerations
4) Generic Framework - how defense for this vulnerability type can be added to generic frameworks like Struts, RoR, etc
5) Custom Framework - how software engineers can defend against this vulnerability type in private libraries and frameworks
6) Custom Code - how software engineers can defend against this vulnerability type in custom application-layer code

Please hit:

https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities

And review the middle tab. It's a solid start and I support it.

Aloha,
Jim Manico
@Manicode




> So the periodic table is a list of vulns right? Best we share the work we did on the owasp common numbering system?
> 
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> 
> 
> On 5 Mar 2013, at 20:15, James Landis <james.landis at owasp.org> wrote:
> 
>> The Top X lists are: "what are they, which ones are the worst"; the Periodic Table is: "how are they best solved". Additionally, the Top X lists are just the top X, the Table intends to cover EVERY vulnerability class.
>>
>> If it's not clear from the high-level project description, perhaps a FAQ is in order, though. I'll track this question and watch for others.
>>
>> Thanks!
>> -j
>>
>>
>> On Tue, Mar 5, 2013 at 8:42 AM, Eric Sheridan <eric.sheridan at owasp.org> wrote:
>>> Can you guys provide some insight (perhaps via Wiki) why this should be
>>> used in place of / along side WASC/CWE/SANST25/OT10/etc.?
>>>
>>> Sincerely,
>>> Eric Sheridan
>>> (twitter) @eric_sheridan
>>> (blog) http://ericsheridan.blogspot.com
>>>
>>> On 3/5/13 4:41 AM, Jim Manico wrote:
>>>> A working group is now forming under the leadership of James Landis to produce the 1.0 draft of the OWASP Periodic Table of Vulnerabilities project.
>>>>
>>>> The goal of this project is to identify the ideal solution target for known web application vulnerability classes as a first step toward eliminating many classes of vulnerabilities altogether. The project is currently targeting web standards, perimeter technologies, and frameworks. The first public release of the project will represent a multi-industry consensus about the ideal solution target for each vulnerability.
>>>>
>>>> If you would like to have a hand in shaping the future of web application technologies toward solving vulnerabilities like cross-site scripting and SQL injection forever, your contributions would be greatly appreciated! We are especially seeking candidates to represent the perspectives of several key industry groups, as outlined in the project roadmap below. If you are interested in keeping an eye on the project discussion, please join the mailing list. If you would like to contribute as a member of the working group, please email the project leader with a very short bio, a list of the industry groups you might represent, a few sentences about why you'd like to join the group, and a rough estimate of the amount of time you could dedicate to the project per month.
>>>>
>>>> Project page: https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities
>>>>
>>>> Roadmap: https://www.owasp.org/index.php/Projects/OWASP_Periodic_Table_of_Vulnerabilities/Roadmap
>>>>
>>>> Mailing list: https://lists.owasp.org/mailman/listinfo/owasp_periodic_table_of_vulnerabilities
>>>>
>>>> Project lead: James Landis <james.landis at owasp.org>
>>>>
>>>> Thank you for considering.
>>>>
>>>> Aloha,
>>>> Jim Manico
>>>> OWASP Volunteer
>>>> @Manicode
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 



More information about the OWASP-Leaders mailing list