[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

Steven M. Christey coley at linus.mitre.org
Wed Jul 15 12:53:51 EDT 2009

For the weakness-vs-attacks dichotomy, I view them as two sides of the
same coin.  We are exploring their inter-relationships extensively in the
Common Weakness Enumeration (CWE) and the Common Attack Pattern
Enumeration and Classification (CAPEC).  See http://cwe.mitre.org and
http://capec.mitre.org.  Each CAPEC entry links to one or more weaknesses
that an attack might exploit.  (Note that CAPEC is still under active
development so there are various gaps).

With respect to terminology, it was noted that there are a lot of vague
terms being used, and one definition may seem precise but winds up relying
on vague concepts.  Some terms are used in such different contexts that I
think it's risky to use them; even if you precisely define it, 95% of
users will have their own interpretation.  In CWE we are trying to improve
situations on the weakness side (which also touches on attacks because of
their association); see the glossary at
http://cwe.mitre.org/documents/glossary/index.html which is an evolving,
imperfect attempt at some concepts.

For whatever it's worth, I've been leading the CVE project for 10 years
and I've yet to come up with (or find) a good definition for
"vulnerability."  Terminology is really hard to get right, especially if
you want it to be useful to multiple parties.

- Steve

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list