RE: OWASP Top Ten - taxing taxonomies

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

This is sort of ironic, all in all. I started a project
that I've yet to post on OWASP about categorizing and
providing metrics around software testing tools. After
I dug in I realized that I didn't have a clear taxonomy
on how to test software, and on down the line until some
folks in Seattle pointed out that several of the taxonomies
I was using were flawed.

I just talked with Steven Christy at Mitre about how to
move forward because he's done a lot of work here on this
subject too. I know a few other folks as well that are
interested in contributing to a clarification effort.

Anyway the question below sums up the point. I'll leave this
on the main list b/c it's beyond Top 10:

Mark-
> > Create a set of T10's that are fit for purpose;
> >
> > T10 - Attack Patterns
> > T10 - Common Vulnerabilities
> > T10 - Root Causes of Insecure Web Applications 
> > T10 - Things a company should have as part of its software 
> security program
> > T10 - Things to look for in a protection system
> > T10 - Things to look for in an assessment system
Ralf-
> One question remains for me is that I'm NOT seeing a significant 
> difference between #1 "T10 Attack patterns" and #2 "T10 Common 
> vulnerabilities", isn't it just a matter of wording as to 
> whether each of these is an attack pattern or a vulnerability?

Here's three elements I use in distinction in my Taxonomy of 'Issues':
Class, Category, Particular, e.g.--

Class--programmatic
Category--input validation (or output encoding)
Particular--XSS 

Now the more important work is to break these up like Mark's T10's
but here's what I think is needed (in addition to his):

Risks (e.g.- $x loss)
Threats (e.g.-repudiation claim)
Attacks (e.g.-spoof user via cookie forging to initiate transaction)
Weaknesses (e.g.-session handling is weak)
Vulnerabilities (e.g.-known websphere something-or-other vuln)

Vuln is sticky, StevenC can speak better to this, but for example
what is a "buffer overflow" versus "format string" and which
is the bug and which is the attack...

So to answer Ralf take Microsoft's threat model: STRIDE

Spoofing of user identity, Threat #1, is actually the Attack
not the Threat. You could say Threat of Spoofing User Identity
but who cares? Threat of causing fraudulent transactions that
someone is going to be accountable for, that's the Threat.

Also the taxonomies surrounding software security (and parts of
general software assurance) are wholly undefined and without
this I have come to the conclusion that progress in analysis
of testing/tools is going to be limited or meaningless.

I'll halt now as I'm regurgitating Mark, all of which I've said
before on this list and others and the question now is:

What do we do?
Who has the bandwidth to do it?

Steven mentioned the idea of a dedicated list for taxonomy,
categorization, etc., for software security. Does OWASP want
to host this? WASC?

I want to contribute to building these taxonomies, they are long
overdue, but I don't have the bandwidth to lead at the moment.

-ae




 



The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.