[Owasp-leaders] The OWASP Periodic Table Project

James Landis james.landis at owasp.org
Tue Mar 5 21:19:05 UTC 2013


Dennis,
Yes, this is the exact metaphor I was pursuing. I pushed for a similar
"taxonomy" view for the WASC TCv2. (One result of this work may be to apply
this kind of  "solutions" view to the TCv2 to expand that project.) The
more I thought about how to classify vulns in a simple way, the more I
returned to the idea of the Table of Elements.

I did start out thinking that many of these vulnerability classes are
really fundamentally the same root cause. As you say: XSS & SQLi (and throw
in HTMLi, OS command injection, generic XMLi, etc.) are fundamentally all
the same problems. My original thought was to use "root cause" or "type of
solution" as the analogous class to "noble gas" or "metal". But I realized
that that didn't get us much further than we already are, which is that we
still mostly rely on developers to understand all of these issues in their
everyday work to keep them from making mistakes.

The current metaphor for the project isn't quite as nuanced as the table of
chemical elements. It is more of a spectrum between "we can eliminate this
problem altogether with new web standards" and "developers will always have
to worry about this problem themselves no matter what we do" (with "we can
keep developers from having to worry about this problem if they use a
better framework that protects them" somewhere in the middle). But it's all
about eliminating vulnerabilities as far away from the day-to-day
activities of web developers as we possibly can. In general, issues with
the same root cause will be addressed in the same part of the spectrum
(e.g. output encoding solutions live in generic frameworks).

The goal is to kill these bugs once and for all, the way we did with buffer
overflow, and forcing ourselves to all go and get real jobs.

-j


On Tue, Mar 5, 2013 at 12:44 PM, Dennis Groves <dennis.groves at owasp.org>wrote:

> On 5 Mar 2013, at 20:35, Eoin wrote:
>
>  So the periodic table is a list of vulns right? Best we share the work we
>> did on the owasp common numbering system?
>>
>
> Not a list of vulns, the periodic table is a taxonomy of similarities.
> Gases, liquids, solids etc… I imagine a taxonomy of vulns: input
> validation, authorisation, access control, etc.. (the top 10 controls?)
> Within the taxonomy of gasses are air, and helium for example. I further
> imagine that input validation will have XSS & SQLi for example. I would
> further imagine that the OWASP periodic table has its own shape that
> doesn't much resemble the actual periodic table…
>
> so I see it as a project to group known issues according to related root
> causes.
>
> Is this how others view this project?
>
>
>
> Dennis
>
> --
> [Dennis Groves](http://about.me/**dennis.groves<http://about.me/dennis.groves>),
> MSc
> [Email me](mailto:[email protected]**owasp.org <dennis.groves at owasp.org>) or
> [schedule a meeting](http://goo.gl/8sPIy).
>
> *This email is licensed under a [CC BY-ND 3.0](http://creativecommons.**
> org/licenses/by-nd/3.0/deed.**en_GB<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>)
> license.*
>
> **Please do not send me Microsoft Office/Apple iWork documents.**
> Send [OpenDocument](http://fsf.org/**campaigns/opendocument/<http://fsf.org/campaigns/opendocument/>)
> instead!
> Stand up for your freedom to install [free software](http://www.fsf.org/**
> campaigns/secure-boot/**statement<http://www.fsf.org/campaigns/secure-boot/statement>
> ).
>
>  The idea that some lives matter less is the root of all that’s wrong with
>> the world. -- Paul Farmer
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/b20f95a6/attachment.html>


More information about the OWASP-Leaders mailing list