[WEB SECURITY] 2009 Top 25 Programming Errors

Steven M. Christey coley at linus.mitre.org
Fri Jan 16 15:31:40 EST 2009

On Thu, 15 Jan 2009, Arian J. Evans wrote:

> That said, I have no Failures and Impropers in it. I think that is
> unnecessary pomp and bombast. And this coming from someone
> who is pompous and bombastic.

Oh... I can see how these could be interpreted that way.  Never thought of
that, honestly.

These are terms that we're stuggling with having some consistency on in
CWE as a whole.  Many of our older names were things like "Insecure
XYZ..." which begged the question *how* was it insecure?  (since we're
slowly moving toward root cause).  We also wanted to distinguish between
"not" doing something versus "trying to do something but not getting it
right" versus "either you didn't to it at all, or you tried to do it and
failed, in this context it doesn't matter which one."  CWE terminology is
evolving to be "Missing [Noun]" or "Failure to [Verb]" when the programmer
doesn't do something; "Insufficient [Noun|Verb]" when the programmer tries
but doesn't fully succeed; and "Improper" to cover when either of those is

There were no judgments intended in them.

Earlier versions of these names might have been "Not Doing [XYZ]" which
didn't seem to flow.  "Insecure" has so many possible interpretations that
we are moving away from it as much as we can.  And so on.

Note that we still have a long way to go in cleaning up our vocab in CWE.
The CWE glossary is trying to capture some of this:


Other followups later...

- Steve

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list