[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

robert at webappsec.org robert at webappsec.org
Wed Jul 15 14:04:27 EDT 2009

> With respect to terminology, it was noted that there are a lot of vague
> terms being used, and one definition may seem precise but winds up relying
> on vague concepts.  Some terms are used in such different contexts that I
> think it's risky to use them; even if you precisely define it, 95% of
> users will have their own interpretation.  In CWE we are trying to improve
> situations on the weakness side (which also touches on attacks because of
> their association); see the glossary at
> http://cwe.mitre.org/documents/glossary/index.html which is an evolving,
> imperfect attempt at some concepts.

WASC decided to utilize couple of terms coined by mitre for the TC as outlined at 
http://projects.webappsec.org/TC-Glossary . For impact and attack mitre's CWE had no definition
so we combined a few definitions as best we could for our purposes. 

> For whatever it's worth, I've been leading the CVE project for 10 years
> and I've yet to come up with (or find) a good definition for
> "vulnerability."  Terminology is really hard to get right, especially if
> you want it to be useful to multiple parties.

After spending months trying to get terminology down I have a larger appreciation
for the great work done by the mitre folks. 

- Robert Auger
WASC Threat Classification v2 Project Leader

> - Steve

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list