WebApp Sec mailing list archives
Re: OWASP Top Ten - why taxing taxonomies?
From: "Frank O'Dwyer" <fod () littlecatZ com>
Date: Thu, 14 Jul 2005 01:38:35 +0100
Evans, Arian wrote:
[...] 2. The CISO using the data can clearly see that OWASP T10 #10 issues go to the web server admins and #T4 issues go to the presentation layer developers and #T1 issues go to the business logic guys.
Thanks, that makes sense. However it doesn't really explain the hierarchy, since all you need to achieve that is one level of heading. Plus, you still need multiple ways to slice and dice the issues depending on the task at hand (e.g. "show me all the high risk issues", "show me all the issues that can be fixed cheaply"). Moreover it's not hard to come up with an issue where the fix involves more than one team, even everybody. I think that in general attempts to present attacks, threats, vulnerabilities, countermeasures, what have you, in any kind of rigid hierarchy are unlikely to work. There are a number of reasons, and here's a few off the top of my head: 1. They are usually subjective, so what works for one person won't work for another. There is no one, true tree of issues. 2. Most experts can't even agree on the difference between a threat and a vulnerability, or a vulnerability and a bug, or a risk and a threat. Given that, trying to get consensus on what *type* of risk/threat/vulnerability you are talking about is going to be even harder. 3. There is no 1-to-1 mapping between these things. A given countermeasure may defend against a number of attacks, and a good one almost always does. (A really good one will also mitigate attacks as yet unheard of, aka 'magic'). Or, a given vulnerability may enable several attack objectives to be met. Or, a given attack may require two things to happen. [...] Cheers, Frank
Current thread:
- RE: OWASP Top Ten - why taxing taxonomies? Evans, Arian (Jul 13)
- Re: OWASP Top Ten - why taxing taxonomies? Frank O'Dwyer (Jul 13)