[Owasp-topten] Draft NISTIR 7628 / Vulnerabilities

Colin Watson colin.watson at owasp.org
Tue Nov 10 07:50:16 EST 2009


Dear Top 10 List

The Global Industry Committee has noted a new draft NIST document on
"Smart Grid Cyber Security Strategy and Requirements":

http://csrc.nist.gov/publications/drafts/nistir-7628/draft-nistir-7628.pdf

In section 1.4.2 "Performance of a risk assessment of the Smart Grid,
including assessing vulnerabilities, threats and impacts", on page 5,
a paragraph mentions:

"The risk assessment, including identifying vulnerabilities, impacts
and threats will be done
from both a high-level overall functional perspective and a focus on
the six functional
priority areas that are the focus of this framework and roadmap
report. The output will be
used in the selection of security requirements and the identification
of security requirements
gaps. The initial draft list of vulnerability classes was developed
using information from
several existing documents and websites, e.g., NIST SP 800-82 and the Open Web
Application Security Project (OWASP) vulnerabilities list. These
vulnerability classes will
be used in ensuring that the security controls address the identified
vulnerabilities. The
vulnerability classes may also be used by Smart Grid implementers,
e.g., vendors and utilities
in assessing their systems."

Appendix C of the document defines the "NIST CSCTG VULNERABILITY CLASSES":

"As input to the classification process, we used many sources of
vulnerability information,
including NIST 800-82 and 800-53, OWASP vulnerabilities, CWE
vulnerabilities, attack
documentation from INL, input provided by the NIST CSCTG Bottoms-Up
group, and the
NERC CIP standards. Compiling one document from these many sources
with different viewpoints
has sometimes been challenging, and further refinement is planned
based on feedback
from the CSCTG. This document is still under revision and is open for comment."

and references this URL only:

http://www.owasp.org/index.php/Category:Vulnerability

Would anyone in the Top 10 project like to comment on the document or
think we should ask other OWASP sources to be cited?

Regards

Colin Watson
Global Industry Committee
http://www.owasp.org/index.php/Global_Industry_Committee


More information about the Owasp-topten mailing list