[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

Jim Manico jim at manico.net
Mon Jul 13 15:16:33 EDT 2009 

I'm a huge fan of OWASP ASVS because it leads us out of the  
neverending rat race of finding and fixing flaws. It focuses only on  
critical software controls needed to build a "secure" application. I  
tried adding in a few best practices that were rejected because they  
only wish to include •necessary• controls, a good thing, I think.

I approach AppSec from a defensive coder perspecive; I just want to  
know what features to add to my software. ASVS helps me measure my  
software in that regard very well.

To put it a other way, if I focus on vulnerablity assessment, I know  
what vulns I have and can fix those. Reminds me of blacklisting.

If I focus on controls (ASVS + ESAPI) I tend to be able to build an  
app that can stand the test of time.

Now, the WASC folks are super smart, and the threat classification is  
a solid body of work. Control based AppSec is not something I hear  
about often on these lists.

Jim Manico

On Jul 13, 2009, at 1:01 PM, robert at webappsec.org wrote:

> Hello Roger,
>
> I lead the WASC TCv2 project and will be able to answer your  
> questions, albeit with a bias towards the TC.
> For starters I am not the best person to speak on behalf of the  
> OWASP ASVS project (maybe they will respond?)
> so I simply won't speak on it other than to say it appears to focus  
> more on process and maturity levels.
>
> Second please take a peek at http://projects.webappsec.org/Using-the-Threat-Classification 
>  as it outlines
> ways people use the TC (myself included). Speaking on my own  
> personal experience (and others that I know)
> I use the TC as
>
> A checklist:
> I use the TC as a checklist of potential security issues (the TC  
> breaks this up into attacks and weaknesses)
> that my application/site is likely to be affected by. I evaluate  
> which functionality my application offers from
> a business and technical perspective and map that functionality to  
> possible weaknesses and attacks that will need
> to be evaluated during a security review. For example if my  
> application uses XML and XQUERY I'd add XML Injection
> (http://projects.webappsec.org/XML-Injection) and XQuery Injection (http://projects.webappsec.org/XQuery-Injection 
> )
> to a list of security concerns, effectively creating a minimum  
> security test plan/threat model. I then ensure my
> security evaluations/testing is checking (at the least) for the  
> attacks and weaknesses against this list. I've
> personally had a situation where I've used the TC on a pen test with  
> a 3rd party and asked if they performed 'x'
> testing which they responded no. Shortly after they performed the  
> testing and found an 'x' issue. In this situation
> I used the TC as a checklist and it resulted in a finding that may  
> or may not have been discovered had I not asked.
>
> Reference Material
> When I file a security defect I provide a URl to the appropriate TC  
> section for additional reading by development
> and/or QA. This saves me time rewriting/explaining the issue and  
> being to brief. The TCv2 sub sections are all group
> peer reviewed in multiple phases and once they are completed are  
> locked (random website visitors cannot modify them
> as with a traditional wiki).
>
> Security Metrics
> In particular the ability to flag defects with a certain attack or  
> weakness flag allowing me to gain better insight into
> the more prevalent issues. This has been useful in developing better  
> security training, enhancing security testing/finding
> gaps, and evaluating priority for security component development.
>
> Chances are you'd probably utilize both for different aspects in  
> your security program.
> Based on your email I will likely write an in depth article on using  
> the TC beyond the light wiki page above
> as we near publication.
>
> Regards,
> - Robert Auger
> WASC Co Founder and Threat Classification v2 Project Leader
> http://www.webappsec.org/
>
>>
>> I'm putting together a requirements list for black box web pen  
>> testing
>> and want to include a standards requirement. I've looked intothe WASC
>> Threat Classification and OWASP's ASVS. The former seems to focus on
>> high level threats, while the latter on testing controls present in
>> the app. With the release of version two of the threat  
>> classification,
>> which standard is more appropriate to use for web app pen testing and
>> why?
>>
>> Thanks,
>>  Roger
>
> --- 
> --- 
> ----------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

More information about the websecurity mailing list