[Owasp-topten] Owasp top 10 in translations and weakness/attack separation

Pekka Sillanpää pekka.sillanpaa at nixu.com
Thu May 28 05:45:11 EDT 2009


I am not sure if this topic has already been discussed, but the
following points came into my mind as I read the discussion going on
Top10 2009.

Our local chapter has found it quite difficult to translate terms like
"cross-site", "injection" etc. natively to our language, and I saw that
other countries have faced this problem as well (XSS, SQL injection,
CSRF have not usually been translated at all). However, the more native
language can be used in terminology (reports etc.) the better.

We found it easier to translate the weakness name, not the attack name.
All aforementioned tricky words are actually related to attacks, not
weaknesses. Weakness is what makes attack possible, and in my opinion
all Top 10 items should weaknesses or attacks consistently.

No doubt the current A1 vulnerability (related to XSS) is the most
common weakness, but perhaps not the most commonly used attack pattern

Example weakness -> attack separations:

Web page structure not preserved (or CWE-79 Failure to preserve web page
-> Web page content injection / manipulation / XSS

Database query structure not preserved
-> Database query structure injection / manipulation

Request origin not identified sufficiently
-> Request forgery (to same or another site/context)

I appreciate the CWE taxonomy work done by MITRE, and they have
approached this from the weakness perspective. I like this approach.
They also have CAPEC for attack patterns, which is different thing.


More information about the Owasp-topten mailing list