[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

Arian J. Evans arian.evans at anachronic.com
Wed Jul 15 13:28:27 EDT 2009

Both orgs (Mitre and WASC) are going some great work now. I'm very
excited to see TC/2 finished.

I had some serious doubts about Mitre's CWE and CAPEC at first, mainly
due to the divergence from CVE-style classification. But now I think
it's safe to say that my doubts where in error. Mitre is doing great
work here, and it looks to be on the right track.

I really like your (Steve's) comments preceding Bob's. Very
intelligent; so another hat-tip to you folks.

All of this will be useful because many people still have a hard time
understanding the issues with their software due to consultants and
tools all using non-standardized definitions, bouncing between
describing attacks and weaknesses without any distinction, calling
them all "vulnerabilities".

Steven -- for the record, I went for the simplest possible definition
of "vulnerability" I could find:

"an instantiated instance of an exploitable weakness"

So I deliberately tend to put things like "information leakage" and
"best-practices/safety controls" into completely different buckets
than "vulnerabilities". They are things that increase exploitability
and/or impact of exploitation vulnerabilities, but are not

I know the classic arguments here, but given a decision: simpler is
better her IMHO.


Main Entry:
    vul·ner·a·ble Listen to the pronunciation of vulnerable
    \ˈvəl-n(ə-)rə-bəl, ˈvəl-nər-bəl\
    Late Latin vulnerabilis, from Latin vulnerare to wound, from
vulner-, vulnus wound; probably akin to Latin vellere to pluck, Greek
oulē wound

1 : capable of being physically or emotionally wounded
2 : open to attack or damage : assailable <vulnerable to criticism>
3 : liable to increased penalties but entitled to increased bonuses
after winning a game in contract bridge

Arian Evans

On Wed, Jul 15, 2009 at 11:04 AM, <robert at webappsec.org> wrote:
>> With respect to terminology, it was noted that there are a lot of vague
>> terms being used, and one definition may seem precise but winds up relying
>> on vague concepts.  Some terms are used in such different contexts that I
>> think it's risky to use them; even if you precisely define it, 95% of
>> users will have their own interpretation.  In CWE we are trying to improve
>> situations on the weakness side (which also touches on attacks because of
>> their association); see the glossary at
>> http://cwe.mitre.org/documents/glossary/index.html which is an evolving,
>> imperfect attempt at some concepts.
> WASC decided to utilize couple of terms coined by mitre for the TC as outlined at
> http://projects.webappsec.org/TC-Glossary . For impact and attack mitre's CWE had no definition
> so we combined a few definitions as best we could for our purposes.
>> For whatever it's worth, I've been leading the CVE project for 10 years
>> and I've yet to come up with (or find) a good definition for
>> "vulnerability."  Terminology is really hard to get right, especially if
>> you want it to be useful to multiple parties.
> After spending months trying to get terminology down I have a larger appreciation
> for the great work done by the mitre folks.
> Regards,
> - Robert Auger
> WASC Threat Classification v2 Project Leader
>> - Steve

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list