[Owasp-topten] Re: [OWASP-LEADERS] Apologies
Steven M. Christey
coley at linus.mitre.org
Fri Aug 19 14:22:35 EDT 2005
On Sat, 20 Aug 2005, Andrew van der Stock wrote:
> a) Revisit bugtraq and analyze this year's vulnerabilities. Nothing
> beats real data. This is the Top 10 after all. Be clear on
> vulnerabilities versus threats versus countermeasures... Top 10
> should be about vulnerabilities leading to actual business loss.
I have an extensive draft of over 1400 CVE names in approximately 300
vulnerability categories, called PLOVER. It covers a broad range of
security issues, not just web apps, and it probably has a slightly
different angle on web app issues than OWASP. It's basically my old
vulnerability auditing checklist on steroids. It's recent enough to
include things like CSRF, request smuggling, permissive whitelists, and
eval injection. It also includes some elements of "vulnerability theory"
that I haven't really seen covered elsewhere. It will eventually be
distributed publicly, hopefully within a month, but I'd be glad to share
this privately with a working group in the meantime.
Note that I haven't fully compared it to the current T10 or Andrew's
latest document, although that's somewhere in the plan.
More information about the Owasp-topten