[Owasp-leaders] The OWASP Periodic Table Project

Tony UV tonyuv at owasp.org
Wed Mar 6 05:51:06 UTC 2013


Firstly, I appreciate this initiative James and your time around this.  I
too however am a bit perplexed on how this will be consumed beyond the
theoretical in the setting of the SMB security practitioners, the
enterprise security groups, vendors, and/ or security consulting firms.
>From a vuln perspective, on one extreme, you have lists managed by MITRE
that relate to CVEs and corresponding CVSS.  As you and many know, there
are very few products that have not adopted CVEs, so although far from
perfect, the adoption is definitely widespread.  Beyond vulns, theres
obviously weaknesses as well, of which, again a list of CWEs and
corresponding CWSS values are also in relatively wide distribution.  Now I
realize that both MITRE driven lists are mostly consumed by security
products, versus SecOps or AppSec folks reading over these vast lists that
are really not that easily consumed and organized.  Although CWEs and CVEs
are much more extensive than the various top X lists out there, they are
meant for different purposes, those being the following: understanding the
genre of the vuln or weakness, understanding technical risk, and lastly how
to remediate.  Going back to those top X, I’ve seen even those get consumed
to further organize to a higher classification of CVEs by those same
product vendors, which is unfortunate b/c they do offer so much more
possibilities via other types of security disciplines that I won’t get into
here.  Point or question being - is there a strong need for further vuln/
weakness classification and if so, how do you foresee adoption/ consumption
to the point of becoming an applied classification model for a given user
base?

Some additional questions/ comments specific to the example URL you
provided are the following:

1 - don’t you think that some of the vulns are splicing hairs and could be
unified in their categorization?  (ex: brute force cookie id & cookie
theft/ session hijacking  - both fall under the area of overall session
management?)
2 - is the term ‘framework’ being misused and attempting to re-brand what
looks like by its column contents as remediation or countermeasures?

I think the idea is good, however, I’m wondering if the approach could be
turned on its head to perhaps create a classification model of attacks vs
vulns/ weaknesses.  I do know that CAPEC libraries exist for this, however,
I think that people have more challenges in fathoming attack patterns than
understanding vulns/ weaknesses and more can be done beyond CAPEC.
Regardless of audience, developers, architects, netops people, etc - they
get the vuln/ weakness, they just don’t understand how the attacks can
manifest in the multitude of ways that they can.

Preemptive counter note: By know means do I mean that 100% of IT people
(dev, sysadmins, DBAs, etc) get what these vulns mean and how they work, so
no need to point the obvious.  There are orgs still that don’t even do the
bare minimum and have never heard of SQLi or XSS, however, the point is
that the periodic table of vulns would be ‘getting in line’ to the list of
vuln resources that inform those that are noobs to the more proficient.


Tony UV
ATL Chapter Lead

Sent from tablet device - please excuse any typos

 *From:* James Landis <james.landis at owasp.org>
*Sent:* ‎March‎ ‎5‎, ‎2013 ‎6‎:‎56‎ ‎PM
*To:* Abbas Naderi <abbas.naderi at owasp.org>
*CC:* owasp-leaders at lists.owasp.org
*Subject:* Re: [Owasp-leaders] The OWASP Periodic Table Project

Glad you asked. On the main project page, click on the tab labeled
"Periodic Table of Vulnerabilities". You'll see the first draft incarnation
covering ALL known vulnerability classes. :) (Please let me know if you
think I've missed one.)

Or, click here:
https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities


On Tue, Mar 5, 2013 at 3:52 PM, Abbas Naderi <abbas.naderi at owasp.org> wrote:

Hello guys,
Glad to hear another very useful projecting kicking in.
I think providing one or two examples of vulns plus the description and
solution the OWASP Periodic Table wants to offer would set things for most
of us, as it is really vague right now in my mind at least.
Thanks
-Abbas

On ۱۶ اسفند ۱۳۹۱, at ۳:۲۰, James Landis <james.landis at owasp.org> wrote:

I think the Periodic Table sits just one level of abstraction above this
argument. No matter where we finally land on the output encoding vs. input
validation debate, would we all agree that any generic secure web app
framework (e.g. "secure" rails, "secure" struts, etc.) should automatically
enforce both of them without requiring a developer to remember to call the
right validation or encoding function?

A flexible framework would probably want to expose configuration options
for the filters and encoders, but for the first version of the document I'd
only want to get as far into the implementation details as is necessary to
make sure we know the solution is technically feasible and not going to
kill off the entire user base for the framework.

-j


On Tue, Mar 5, 2013 at 1:31 PM, Dennis Groves <dennis.groves at owasp.org>wrote:


 * Other odd ball contexts need their own love, probably along the lines of
IV.


Would love to see some examples.

And in general, input validation is great secure coding hygiene practice
and does indeed stop some injection (like when validating numeric input
that lands in a query). But to stop SQL Injection, it's all about query
parametrization (and proper design) for complete defense.


Is that because your thinking of remediation and we are thinking of root
cause?
In my mind root cause and remediation are not the same, one is a how
(solution) the other is the why (reason). And I unfortunately, can not
think of any examples. :/


Dennis

-- 
[Dennis Groves](http://about.me/**dennis.groves<http://about.me/dennis.groves>),
MSc
[Email me](mailto:[email protected]**owasp.org <dennis.groves at owasp.org>) or
[schedule a meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND 3.0](http://creativecommons.**
org/licenses/by-nd/3.0/deed.**en_GB<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>)
license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/**campaigns/opendocument/<http://fsf.org/campaigns/opendocument/>)
instead!
Stand up for your freedom to install [free software](http://www.fsf.org/**
campaigns/secure-boot/**statement<http://www.fsf.org/campaigns/secure-boot/statement>
).

 The idea that some lives matter less is the root of all that’s wrong with
the world. -- Paul Farmer

______________________________**_________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/**mailman/listinfo/owasp-leaders<https://lists.owasp.org/mailman/listinfo/owasp-leaders>


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130306/31c2b2d9/attachment.html>


More information about the OWASP-Leaders mailing list