[Owasp-leaders] The OWASP Periodic Table Project

James Landis james.landis at owasp.org
Tue Mar 5 20:59:28 UTC 2013


Eoin,
I reviewed the OWASP Common Numbering System. I think that the periodic
table COULD be a precursor to a set of requirements that would get built
from the consensus we reach about WHERE to address vulns/weaknesses, but
it's too early in the life of this project to jump directly to the CNS.

Using the draft requirements for that project as an example: the periodic
table might instead say something like "a configurable strong password
system should be provided by a generic framework to address authentication
weaknesses - it shouldn't be implemented in perimeter systems, browser
standards, or by any web developer writing custom code". However, it
wouldn't proscribe exactly what the requirements for the framework-based
password scheme would be yet. We're first trying to establish a consensus
about where in the ecosystem each class of vulnerability is best solved,
with only a high-level description of what the solution looks like.

Hopefully that makes sense.


On Tue, Mar 5, 2013 at 12:43 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Eoin,
>
> The OWASP Periodic Table Project is a breakdown of how to defend against a
> large list of very specific risks and where that defense belongs in complex
> software architectures (design). I have not seen work like this to date.
>
> The breakdown is:
>
> 1) Vulnerability Type
> 2) Standards - how new standards can be created, or what existing
> standards exist to address this vulnerability type
> 3) Infrastructure - infrastructure defense considerations
> 4) Generic Framework - how defense for this vulnerability type can be
> added to generic frameworks like Struts, RoR, etc
> 5) Custom Framework - how software engineers can defend against this
> vulnerability type in private libraries and frameworks
> 6) Custom Code - how software engineers can defend against this
> vulnerability type in custom application-layer code
>
> Please hit:
>
> https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities
>
> And review the middle tab. It's a solid start and I support it.
>
> Aloha,
> Jim Manico
> @Manicode
>
>
>
>
> > So the periodic table is a list of vulns right? Best we share the work
> we did on the owasp common numbering system?
> >
> > Eoin Keary
> > Owasp Global Board
> > +353 87 977 2988
> >
> >
> > On 5 Mar 2013, at 20:15, James Landis <james.landis at owasp.org> wrote:
> >
> >> The Top X lists are: "what are they, which ones are the worst"; the
> Periodic Table is: "how are they best solved". Additionally, the Top X
> lists are just the top X, the Table intends to cover EVERY vulnerability
> class.
> >>
> >> If it's not clear from the high-level project description, perhaps a
> FAQ is in order, though. I'll track this question and watch for others.
> >>
> >> Thanks!
> >> -j
> >>
> >>
> >> On Tue, Mar 5, 2013 at 8:42 AM, Eric Sheridan <eric.sheridan at owasp.org>
> wrote:
> >>> Can you guys provide some insight (perhaps via Wiki) why this should be
> >>> used in place of / along side WASC/CWE/SANST25/OT10/etc.?
> >>>
> >>> Sincerely,
> >>> Eric Sheridan
> >>> (twitter) @eric_sheridan
> >>> (blog) http://ericsheridan.blogspot.com
> >>>
> >>> On 3/5/13 4:41 AM, Jim Manico wrote:
> >>>> A working group is now forming under the leadership of James Landis
> to produce the 1.0 draft of the OWASP Periodic Table of Vulnerabilities
> project.
> >>>>
> >>>> The goal of this project is to identify the ideal solution target for
> known web application vulnerability classes as a first step toward
> eliminating many classes of vulnerabilities altogether. The project is
> currently targeting web standards, perimeter technologies, and frameworks.
> The first public release of the project will represent a multi-industry
> consensus about the ideal solution target for each vulnerability.
> >>>>
> >>>> If you would like to have a hand in shaping the future of web
> application technologies toward solving vulnerabilities like cross-site
> scripting and SQL injection forever, your contributions would be greatly
> appreciated! We are especially seeking candidates to represent the
> perspectives of several key industry groups, as outlined in the project
> roadmap below. If you are interested in keeping an eye on the project
> discussion, please join the mailing list. If you would like to contribute
> as a member of the working group, please email the project leader with a
> very short bio, a list of the industry groups you might represent, a few
> sentences about why you'd like to join the group, and a rough estimate of
> the amount of time you could dedicate to the project per month.
> >>>>
> >>>> Project page:
> https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities
> >>>>
> >>>> Roadmap:
> https://www.owasp.org/index.php/Projects/OWASP_Periodic_Table_of_Vulnerabilities/Roadmap
> >>>>
> >>>> Mailing list:
> https://lists.owasp.org/mailman/listinfo/owasp_periodic_table_of_vulnerabilities
> >>>>
> >>>> Project lead: James Landis <james.landis at owasp.org>
> >>>>
> >>>> Thank you for considering.
> >>>>
> >>>> Aloha,
> >>>> Jim Manico
> >>>> OWASP Volunteer
> >>>> @Manicode
> >>>> _______________________________________________
> >>>> OWASP-Leaders mailing list
> >>>> OWASP-Leaders at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/92e5d1e1/attachment.html>


More information about the OWASP-Leaders mailing list