Re: OWASP Top Ten - why taxing taxonomies?

["Frank O'Dwyer" <fod () littlecatZ com>]

Evans, Arian wrote:

> [...]
> 2. The CISO using the data can clearly see that OWASP T10 #10
> issues go to the web server admins and #T4 issues go to the
> presentation layer developers and #T1 issues go to the business
> logic guys.
>  
Thanks, that makes sense. However it doesn't really explain the
hierarchy, since all you need to achieve that is one level of heading.
Plus, you still need multiple ways to slice and dice the issues
depending on the task at hand (e.g. "show me all the high risk issues",
"show me all the issues that can be fixed cheaply"). Moreover it's not
hard to come up with an issue where the fix involves more than one team,
even everybody.

I think that in general attempts to present attacks, threats,
vulnerabilities, countermeasures, what have you, in any kind of rigid
hierarchy are unlikely to work. There are a number of reasons, and
here's a few off the top of my head:

1. They are usually subjective, so what works for one person won't work
for another. There is no one, true tree of issues.
2. Most experts can't even agree on the difference between a threat and
a vulnerability, or a vulnerability and a bug, or a risk and a threat.
Given that, trying to get consensus on what *type* of
risk/threat/vulnerability you are talking about is going to be even harder.
3. There is no 1-to-1 mapping between these things. A given
countermeasure may defend against a number of attacks, and a good one
almost always does. (A really good one will also mitigate attacks as yet
unheard of, aka 'magic'). Or, a given vulnerability may enable several
attack objectives to be met. Or, a given attack may require two things
to happen.

[...]

Cheers,
Frank