WebApp Sec mailing list archives
RE: OWASP Top Ten - taxing taxonomies
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Tue, 12 Jul 2005 17:59:52 -0500
This is sort of ironic, all in all. I started a project that I've yet to post on OWASP about categorizing and providing metrics around software testing tools. After I dug in I realized that I didn't have a clear taxonomy on how to test software, and on down the line until some folks in Seattle pointed out that several of the taxonomies I was using were flawed. I just talked with Steven Christy at Mitre about how to move forward because he's done a lot of work here on this subject too. I know a few other folks as well that are interested in contributing to a clarification effort. Anyway the question below sums up the point. I'll leave this on the main list b/c it's beyond Top 10: Mark-
Create a set of T10's that are fit for purpose; T10 - Attack Patterns T10 - Common Vulnerabilities T10 - Root Causes of Insecure Web Applications T10 - Things a company should have as part of its softwaresecurity programT10 - Things to look for in a protection system T10 - Things to look for in an assessment system
Ralf-
One question remains for me is that I'm NOT seeing a significant difference between #1 "T10 Attack patterns" and #2 "T10 Common vulnerabilities", isn't it just a matter of wording as to whether each of these is an attack pattern or a vulnerability?
Here's three elements I use in distinction in my Taxonomy of 'Issues': Class, Category, Particular, e.g.-- Class--programmatic Category--input validation (or output encoding) Particular--XSS Now the more important work is to break these up like Mark's T10's but here's what I think is needed (in addition to his): Risks (e.g.- $x loss) Threats (e.g.-repudiation claim) Attacks (e.g.-spoof user via cookie forging to initiate transaction) Weaknesses (e.g.-session handling is weak) Vulnerabilities (e.g.-known websphere something-or-other vuln) Vuln is sticky, StevenC can speak better to this, but for example what is a "buffer overflow" versus "format string" and which is the bug and which is the attack... So to answer Ralf take Microsoft's threat model: STRIDE Spoofing of user identity, Threat #1, is actually the Attack not the Threat. You could say Threat of Spoofing User Identity but who cares? Threat of causing fraudulent transactions that someone is going to be accountable for, that's the Threat. Also the taxonomies surrounding software security (and parts of general software assurance) are wholly undefined and without this I have come to the conclusion that progress in analysis of testing/tools is going to be limited or meaningless. I'll halt now as I'm regurgitating Mark, all of which I've said before on this list and others and the question now is: What do we do? Who has the bandwidth to do it? Steven mentioned the idea of a dedicated list for taxonomy, categorization, etc., for software security. Does OWASP want to host this? WASC? I want to contribute to building these taxonomies, they are long overdue, but I don't have the bandwidth to lead at the moment. -ae The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- RE: OWASP Top Ten - taxing taxonomies Evans, Arian (Jul 13)
- Re: OWASP Top Ten - taxing taxonomies Frank O'Dwyer (Jul 13)