[WEB SECURITY] 2009 Top 25 Programming Errors

Arian J. Evans arian.evans at anachronic.com
Fri Jan 16 16:05:53 EST 2009 

Ah, I think you are on the right direction with terminology then.

I would like to see the "Top 25" evolve faster in this direction.

Also, we need a "webapp" version, since that will probably
be the primary use of the "Top 25". </guess>

-ae


On Fri, Jan 16, 2009 at 12:31 PM, Steven M. Christey
<coley at linus.mitre.org> wrote:
>
> On Thu, 15 Jan 2009, Arian J. Evans wrote:
>
>> That said, I have no Failures and Impropers in it. I think that is
>> unnecessary pomp and bombast. And this coming from someone
>> who is pompous and bombastic.
>
> Oh... I can see how these could be interpreted that way.  Never thought of
> that, honestly.
>
> These are terms that we're stuggling with having some consistency on in
> CWE as a whole.  Many of our older names were things like "Insecure
> XYZ..." which begged the question *how* was it insecure?  (since we're
> slowly moving toward root cause).  We also wanted to distinguish between
> "not" doing something versus "trying to do something but not getting it
> right" versus "either you didn't to it at all, or you tried to do it and
> failed, in this context it doesn't matter which one."  CWE terminology is
> evolving to be "Missing [Noun]" or "Failure to [Verb]" when the programmer
> doesn't do something; "Insufficient [Noun|Verb]" when the programmer tries
> but doesn't fully succeed; and "Improper" to cover when either of those is
> appropriate.
>
> There were no judgments intended in them.
>
> Earlier versions of these names might have been "Not Doing [XYZ]" which
> didn't seem to flow.  "Insecure" has so many possible interpretations that
> we are moving away from it as much as we can.  And so on.
>
> Note that we still have a long way to go in cleaning up our vocab in CWE.
> The CWE glossary is trying to capture some of this:
>
>  http://cwe.mitre.org/documents/glossary/index.html
>
> Other followups later...
>
> - Steve
>



-- 
-- 
Arian Evans

Anti-Gun/UN people: you should weep for
Mumbai. Your actions leave defenseless dead.

"Among the many misdeeds of the British
rule in India, history will look upon the Act
depriving a whole nation of arms, as the
blackest." -- Mahatma Gandhi

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

More information about the websecurity mailing list