[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS
Arian J. Evans
arian.evans at anachronic.com
Wed Jul 15 13:28:27 EDT 2009
Both orgs (Mitre and WASC) are going some great work now. I'm very
excited to see TC/2 finished.
I had some serious doubts about Mitre's CWE and CAPEC at first, mainly
due to the divergence from CVE-style classification. But now I think
it's safe to say that my doubts where in error. Mitre is doing great
work here, and it looks to be on the right track.
I really like your (Steve's) comments preceding Bob's. Very
intelligent; so another hat-tip to you folks.
All of this will be useful because many people still have a hard time
understanding the issues with their software due to consultants and
tools all using non-standardized definitions, bouncing between
describing attacks and weaknesses without any distinction, calling
them all "vulnerabilities".
Steven -- for the record, I went for the simplest possible definition
of "vulnerability" I could find:
"an instantiated instance of an exploitable weakness"
So I deliberately tend to put things like "information leakage" and
"best-practices/safety controls" into completely different buckets
than "vulnerabilities". They are things that increase exploitability
and/or impact of exploitation vulnerabilities, but are not
I know the classic arguments here, but given a decision: simpler is
better her IMHO.
vul·ner·a·ble Listen to the pronunciation of vulnerable
Late Latin vulnerabilis, from Latin vulnerare to wound, from
vulner-, vulnus wound; probably akin to Latin vellere to pluck, Greek
1 : capable of being physically or emotionally wounded
2 : open to attack or damage : assailable <vulnerable to criticism>
3 : liable to increased penalties but entitled to increased bonuses
after winning a game in contract bridge
On Wed, Jul 15, 2009 at 11:04 AM, <robert at webappsec.org> wrote:
>> With respect to terminology, it was noted that there are a lot of vague
>> terms being used, and one definition may seem precise but winds up relying
>> on vague concepts. Some terms are used in such different contexts that I
>> think it's risky to use them; even if you precisely define it, 95% of
>> users will have their own interpretation. In CWE we are trying to improve
>> situations on the weakness side (which also touches on attacks because of
>> their association); see the glossary at
>> http://cwe.mitre.org/documents/glossary/index.html which is an evolving,
>> imperfect attempt at some concepts.
> WASC decided to utilize couple of terms coined by mitre for the TC as outlined at
> http://projects.webappsec.org/TC-Glossary . For impact and attack mitre's CWE had no definition
> so we combined a few definitions as best we could for our purposes.
>> For whatever it's worth, I've been leading the CVE project for 10 years
>> and I've yet to come up with (or find) a good definition for
>> "vulnerability." Terminology is really hard to get right, especially if
>> you want it to be useful to multiple parties.
> After spending months trying to get terminology down I have a larger appreciation
> for the great work done by the mitre folks.
> - Robert Auger
> WASC Threat Classification v2 Project Leader
>> - Steve
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity