[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS
jim at manico.net
Mon Jul 13 15:16:33 EDT 2009
I'm a huge fan of OWASP ASVS because it leads us out of the
neverending rat race of finding and fixing flaws. It focuses only on
critical software controls needed to build a "secure" application. I
tried adding in a few best practices that were rejected because they
only wish to include •necessary• controls, a good thing, I think.
I approach AppSec from a defensive coder perspecive; I just want to
know what features to add to my software. ASVS helps me measure my
software in that regard very well.
To put it a other way, if I focus on vulnerablity assessment, I know
what vulns I have and can fix those. Reminds me of blacklisting.
If I focus on controls (ASVS + ESAPI) I tend to be able to build an
app that can stand the test of time.
Now, the WASC folks are super smart, and the threat classification is
a solid body of work. Control based AppSec is not something I hear
about often on these lists.
On Jul 13, 2009, at 1:01 PM, robert at webappsec.org wrote:
> Hello Roger,
> I lead the WASC TCv2 project and will be able to answer your
> questions, albeit with a bias towards the TC.
> For starters I am not the best person to speak on behalf of the
> OWASP ASVS project (maybe they will respond?)
> so I simply won't speak on it other than to say it appears to focus
> more on process and maturity levels.
> Second please take a peek at http://projects.webappsec.org/Using-the-Threat-Classification
> as it outlines
> ways people use the TC (myself included). Speaking on my own
> personal experience (and others that I know)
> I use the TC as
> A checklist:
> I use the TC as a checklist of potential security issues (the TC
> breaks this up into attacks and weaknesses)
> that my application/site is likely to be affected by. I evaluate
> which functionality my application offers from
> a business and technical perspective and map that functionality to
> possible weaknesses and attacks that will need
> to be evaluated during a security review. For example if my
> application uses XML and XQUERY I'd add XML Injection
> (http://projects.webappsec.org/XML-Injection) and XQuery Injection (http://projects.webappsec.org/XQuery-Injection
> to a list of security concerns, effectively creating a minimum
> security test plan/threat model. I then ensure my
> security evaluations/testing is checking (at the least) for the
> attacks and weaknesses against this list. I've
> personally had a situation where I've used the TC on a pen test with
> a 3rd party and asked if they performed 'x'
> testing which they responded no. Shortly after they performed the
> testing and found an 'x' issue. In this situation
> I used the TC as a checklist and it resulted in a finding that may
> or may not have been discovered had I not asked.
> Reference Material
> When I file a security defect I provide a URl to the appropriate TC
> section for additional reading by development
> and/or QA. This saves me time rewriting/explaining the issue and
> being to brief. The TCv2 sub sections are all group
> peer reviewed in multiple phases and once they are completed are
> locked (random website visitors cannot modify them
> as with a traditional wiki).
> Security Metrics
> In particular the ability to flag defects with a certain attack or
> weakness flag allowing me to gain better insight into
> the more prevalent issues. This has been useful in developing better
> security training, enhancing security testing/finding
> gaps, and evaluating priority for security component development.
> Chances are you'd probably utilize both for different aspects in
> your security program.
> Based on your email I will likely write an in depth article on using
> the TC beyond the light wiki page above
> as we near publication.
> - Robert Auger
> WASC Co Founder and Threat Classification v2 Project Leader
>> I'm putting together a requirements list for black box web pen
>> and want to include a standards requirement. I've looked intothe WASC
>> Threat Classification and OWASP's ASVS. The former seems to focus on
>> high level threats, while the latter on testing controls present in
>> the app. With the release of version two of the threat
>> which standard is more appropriate to use for web app pen testing and
> Join us on IRC: irc.freenode.net #webappsec
> Have a question? Search The Web Security Mailing List Archives:
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> Join WASC on LinkedIn
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity