[WEB SECURITY] 2009 Top 25 Programming Errors
Arian J. Evans
arian.evans at anachronic.com
Fri Jan 16 16:05:53 EST 2009
Ah, I think you are on the right direction with terminology then.
I would like to see the "Top 25" evolve faster in this direction.
Also, we need a "webapp" version, since that will probably
be the primary use of the "Top 25". </guess>
On Fri, Jan 16, 2009 at 12:31 PM, Steven M. Christey
<coley at linus.mitre.org> wrote:
> On Thu, 15 Jan 2009, Arian J. Evans wrote:
>> That said, I have no Failures and Impropers in it. I think that is
>> unnecessary pomp and bombast. And this coming from someone
>> who is pompous and bombastic.
> Oh... I can see how these could be interpreted that way. Never thought of
> that, honestly.
> These are terms that we're stuggling with having some consistency on in
> CWE as a whole. Many of our older names were things like "Insecure
> XYZ..." which begged the question *how* was it insecure? (since we're
> slowly moving toward root cause). We also wanted to distinguish between
> "not" doing something versus "trying to do something but not getting it
> right" versus "either you didn't to it at all, or you tried to do it and
> failed, in this context it doesn't matter which one." CWE terminology is
> evolving to be "Missing [Noun]" or "Failure to [Verb]" when the programmer
> doesn't do something; "Insufficient [Noun|Verb]" when the programmer tries
> but doesn't fully succeed; and "Improper" to cover when either of those is
> There were no judgments intended in them.
> Earlier versions of these names might have been "Not Doing [XYZ]" which
> didn't seem to flow. "Insecure" has so many possible interpretations that
> we are moving away from it as much as we can. And so on.
> Note that we still have a long way to go in cleaning up our vocab in CWE.
> The CWE glossary is trying to capture some of this:
> Other followups later...
> - Steve
Anti-Gun/UN people: you should weep for
Mumbai. Your actions leave defenseless dead.
"Among the many misdeeds of the British
rule in India, history will look upon the Act
depriving a whole nation of arms, as the
blackest." -- Mahatma Gandhi
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity