[Owasp-leaders] [Owasp-community] OT10 Risks?

Jim Manico jim.manico at owasp.org
Mon Sep 22 17:03:46 UTC 2014


I'm with you, Bill on attack definition, but I think a vuln is only
specific to a live system (ie: CVE vs CAPEC). So....

Injection is an attack.

Lack of parameterized queries is a weakness.  (not a vuln)

XSS is also an attack.

Poor input validation, poor output encoding are weaknesses (not vulns).

A vulnerability is a weakness in a actual system that can we exploited
by one or more attack types.

That's my take, per my reading of Mitre. Dang this is messy and many
groups use these terms interchangeably.

--
Jim Manico
@Manicode
(808) 652-3805

> On Sep 22, 2014, at 12:53 PM, Bill Sempf <bill.sempf at owasp.org> wrote:
>
> Injection is an attack. Lack of parameterized queries is a vulnerability.
> XSS is also an attack. Poor input validation, poor output encoding are vulnerabilities.


More information about the OWASP-Leaders mailing list