[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

robert at webappsec.org robert at webappsec.org
Wed Jul 15 23:34:47 EDT 2009


> anyway). It's just easier to understand the coverage. It's *possible* to
> organize these efforts around attacks and weaknesses, but there are so many
> of them that completeness becomes very difficult.  

Certainly! Things can also get rather complicated depending on the terminology you wish
to use, and the context in which an issue is described/used.

> Is there a plan to cover the 700+ CWE in the TC?


Short answer: The WASC TC is more an effort to classify the weaknesses, and 
attacks that can lead to the compromise of a website, its data, or its users. It
is not meant to replace CWE/CAPEC nor is it trying to.  

Long answer: 
An issue I have with mitre's CAPEC/CWE projects is that it is FAR to extensive for everyday use
but are excellent for academic purposes, products, and training. To be clear I love mitre's work and 
it is far more extensive than anything out there, but I feel that it isn't very 'digestable' by 
people such as product managers, QA engineers, or even developers looking to understand why they
need to fix issue x at least in my personal experiences. Also people performing security testing 
aren't going to go through a 700+ item list and check off what they've looked for/need to look for
when building a threat model/security testing plan. I've had this exact conversation repeatedly with
multiple pentesting firms and it simply is to overwhelming. On the flipside top 10-20 lists aren't adequate
enough for identifying the type of security testing required for a fairly thorough assessment.
This is in no way negative to such top x lists, I frequently forward people along to them as a reference
for a given issue (like owasp's excellent top ten), or as a light security test checklist of issues to look for. 
I think for this use case it depends on just how 'deep' you wish to go and for many people the wasc tc represents 
a fairly decent level of coverage. Once 2.0 is out the door we'll begin working on much smaller release 
to add missing attacks and weaknesses to enhance this coverage.

How people are using the TC (yes I pasted this before but is directly related to this message)
http://projects.webappsec.org/Using-the-Threat-Classification 

Please pardon my lengthy response and mini rants :)

Regards,
- Robert Auger
 


>  
> 
> --Jeff
> 
>  
> 
>  
> 
> From: arian.evans at gmail.com [mailto:arian.evans at gmail.com] On Behalf Of
> Arian J. Evans
> Sent: Monday, July 13, 2009 3:37 PM
> To: Roger Munk; websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] WASC Threat Classification vs. OWASP ASVS
> 
>  
> 
> The WASC "threat classification" is a mix of both attack-nodes and
> weakness-nodes, largely from a blackbox perspective.
> 
> ASVS is primarily Whitebox and a process and "requirements" document. The
> WASC 24 covers none of that.
> 
> You could use both. ASVS as your process guide, but cover all the of the
> WASC/24 as part of your BB checklist of "things to test for".
> 
> OWASP tends to be a whiteboxed focused organization, and WASC tends to be a
> black-box focused organization, if that helps clarify for you.
> 
> The ASVS has "requirements" which WASC does not. Many are good, but some are
> arbitrary requirements, like "verify validation is done with whitelists".
> 
> You have to take these types of absolutes provided without any business
> context with a grain of salt. Sometimes whitelists work, and sometimes they
> are just not feasible, and sometimes blacklists actually work better (not
> often, but sometimes). At the end of the day the business context is
> everything. Aside from that stuff, ASVS looks like a great "process guide"
> to start with if you want to do more than blackbox test.
> 
> Where the WASC being attack-node centric does not have any "you must design
> your system like this". It is mostly a list of "you are weak to Attack Type
> X". Even systemic weaknesses (like a weak authorization system) are usually
> described in some form of a parameter-tampering attack.
> 
> Does that answer?
> 
> -- 
> Arian Evans
> 
> 
> 
> 
> 
> On Mon, Jul 13, 2009 at 11:09 AM, Roger Munk <roger.munk at gmail.com> wrote:
> 
> I'm putting together a requirements list for black box web pen testing
> and want to include a standards requirement. I've looked intothe WASC
> Threat Classification and OWASP's ASVS. The former seems to focus on
> high level threats, while the latter on testing controls present in
> the app. With the release of version two of the threat classification,
> which standard is more appropriate to use for web app pen testing and
> why?
> 
> Thanks,
>  Roger
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
>  
> 
> 
> ------=_NextPart_000_0166_01CA0592.53082FD0
> Content-Type: text/html;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
> xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
> xmlns=3D"http://www.w3.org/TR/REC-html40">
> 
> <head>
> <meta http-equiv=3DContent-Type content=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
> <style>
> <!--
>  /* Font Definitions */
>  @font-face
> 	{font-family:"Cambria Math";
> 	panose-1:2 4 5 3 5 4 6 3 2 4;}
> @font-face
> 	{font-family:Calibri;
> 	panose-1:2 15 5 2 2 2 4 3 2 4;}
> @font-face
> 	{font-family:Tahoma;
> 	panose-1:2 11 6 4 3 5 4 4 2 4;}
>  /* Style Definitions */
>  p.MsoNormal, li.MsoNormal, div.MsoNormal
> 	{margin:0in;
> 	margin-bottom:.0001pt;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman","serif";}
> a:link, span.MsoHyperlink
> 	{mso-style-priority:99;
> 	color:blue;
> 	text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> 	{mso-style-priority:99;
> 	color:purple;
> 	text-decoration:underline;}
> p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
> 	{mso-style-priority:34;
> 	margin-top:0in;
> 	margin-right:0in;
> 	margin-bottom:0in;
> 	margin-left:.5in;
> 	margin-bottom:.0001pt;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman","serif";}
> span.EmailStyle17
> 	{mso-style-type:personal-reply;
> 	font-family:"Calibri","sans-serif";
> 	color:#1F497D;}
> .MsoChpDefault
> 	{mso-style-type:export-only;}
> @page Section1
> 	{size:8.5in 11.0in;
> 	margin:1.0in 1.0in 1.0in 1.0in;}
> div.Section1
> 	{page:Section1;}
>  /* List Definitions */
>  @list l0
> 	{mso-list-id:983201674;
> 	mso-list-type:hybrid;
> 	mso-list-template-ids:-1620042066 67698705 67698713 67698715 67698703 =
> 67698713 67698715 67698703 67698713 67698715;}
> @list l0:level1
> 	{mso-level-text:"%1\)";
> 	mso-level-tab-stop:none;
> 	mso-level-number-position:left;
> 	text-indent:-.25in;}
> ol
> 	{margin-bottom:0in;}
> ul
> 	{margin-bottom:0in;}
> -->
> </style>
> <!--[if gte mso 9]><xml>
>  <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
> </xml><![endif]--><!--[if gte mso 9]><xml>
>  <o:shapelayout v:ext=3D"edit">
>   <o:idmap v:ext=3D"edit" data=3D"1" />
>  </o:shapelayout></xml><![endif]-->
> </head>
> 
> <body lang=3DEN-US link=3Dblue vlink=3Dpurple>
> 
> <div class=3DSection1>
> 
> <p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
> color:#1F497D'>Glad to see this discussion.  Sorry I’m =
> late.<o:p></o:p></span></p>
> 
> <p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
> color:#1F497D'><o:p> </o:p></span></p>
> 
> <p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
> color:#1F497D'>ASVS is not a process guide at all.  ASVS defines =
> the set requirements
> for security controls that need to be verified in an appsec scan/code =
> review/pentest/architecture
> review.  The process you use to do this verification is up to =
> you.  To
> allow organizations to compare the coverage of different application =
> security services
> in the market, ASVS has 4 levels: 1. automated, 2. manual, 3. =
> architecture, and
> 4. internal.  Very few commercial applications are reviewed beyond =
> level
> 2.<o:p></o:p></span></p>
> 
> <p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
> color:#1F497D'><o:p> </o:p></span></p>
> 
> <p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
> color:#1F497D'>Philosophically, ASVS (and OWASP for that matter) =
> doesn’t
> really care whether you use a black-box or white-box technique to verify =
> the
> requirements. I suggest you use the cheapest approach on a
> requirement-by-requirement basis depending on the particular application =
> to be
> verified.  Any other approach will waste money by =
> definition.<o:p></o:p></span></p>
> 
> <p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
> color:#1F497D'><o:p> </o:p></span></p>
> 
> <p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
> color:#1F497D'>Organizing security reviews around security controls =
> makes sense
> (to me anyway). It’s just easier to understand the coverage. =
> It’s *<b>possible</b>*
> to organize these efforts around attacks and weaknesses, but there are =
> so many
> of them that completeness becomes very difficult.  Is there a plan =
> to
> cover the 700+ CWE in the TC?   <o:p></o:p></span></p>
> 
> <p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
> color:#1F497D'><o:p> </o:p></span></p>
> 
> <p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
> color:#1F497D'>--Jeff<o:p></o:p></span></p>
> 
> <p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
> color:#1F497D'><o:p> </o:p></span></p>
> 
> <p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
> color:#1F497D'><o:p> </o:p></span></p>
> 
> <div style=3D'border:none;border-left:solid blue 1.5pt;padding:0in 0in =
> 0in 4.0pt'>
> 
> <div>
> 
> <div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
> 0in 0in 0in'>
> 
> <p class=3DMsoNormal><b><span =
> style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
> </b><span
> style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
> arian.evans at gmail.com [mailto:arian.evans at gmail.com] <b>On Behalf Of =
> </b>Arian
> J. Evans<br>
> <b>Sent:</b> Monday, July 13, 2009 3:37 PM<br>
> <b>To:</b> Roger Munk; websecurity at webappsec.org<br>
> <b>Subject:</b> Re: [WEB SECURITY] WASC Threat Classification vs. OWASP =
> ASVS<o:p></o:p></span></p>
> 
> </div>
> 
> </div>
> 
> <p class=3DMsoNormal><o:p> </o:p></p>
> 
> <p class=3DMsoNormal style=3D'margin-bottom:12.0pt'>The WASC =
> "threat
> classification" is a mix of both attack-nodes and weakness-nodes, =
> largely
> from a blackbox perspective.<br>
> <br>
> ASVS is primarily Whitebox and a process and "requirements" =
> document.
> The WASC 24 covers none of that.<br>
> <br>
> You could use both. ASVS as your process guide, but cover all the of the
> WASC/24 as part of your BB checklist of "things to test =
> for".<br>
> <br>
> OWASP tends to be a whiteboxed focused organization, and WASC tends to =
> be a
> black-box focused organization, if that helps clarify for you.<br>
> <br>
> The ASVS has "requirements" which WASC does not. Many are =
> good, but
> some are arbitrary requirements, like "verify validation is done =
> with
> whitelists".<br>
> <br>
> You have to take these types of absolutes provided without any business =
> context
> with a grain of salt. Sometimes whitelists work, and sometimes they are =
> just
> not feasible, and sometimes blacklists actually work better (not often, =
> but
> sometimes). At the end of the day the business context is everything. =
> Aside
> from that stuff, ASVS looks like a great "process guide" to =
> start
> with if you want to do more than blackbox test.<br>
> <br>
> Where the WASC being attack-node centric does not have any "you =
> must
> design your system like this". It is mostly a list of "you are =
> weak
> to Attack Type X". Even systemic weaknesses (like a weak =
> authorization
> system) are usually described in some form of a parameter-tampering =
> attack.<br
> clear=3Dall>
> <br>
> Does that answer?<br>
> <br>
> -- <br>
> Arian Evans<br>
> <br>
> <br>
> <br>
> <o:p></o:p></p>
> 
> <div>
> 
> <p class=3DMsoNormal>On Mon, Jul 13, 2009 at 11:09 AM, Roger Munk <<a
> href=3D"mailto:roger.munk at gmail.com">roger.munk at gmail.com</a>> =
> wrote:<o:p></o:p></p>
> 
> <p class=3DMsoNormal style=3D'margin-bottom:12.0pt'>I'm putting together =
> a
> requirements list for black box web pen testing<br>
> and want to include a standards requirement. I've looked intothe =
> WASC<br>
> Threat Classification and OWASP's ASVS. The former seems to focus on<br>
> high level threats, while the latter on testing controls present in<br>
> the app. With the release of version two of the threat =
> classification,<br>
> which standard is more appropriate to use for web app pen testing =
> and<br>
> why?<br>
> <br>
> Thanks,<br>
>  Roger<br>
> <br>
> -------------------------------------------------------------------------=
> ---<br>
> Join us on IRC: <a href=3D"http://irc.freenode.net" =
> target=3D"_blank">irc.freenode.net</a>
> #webappsec<br>
> <br>
> Have a question? Search The Web Security Mailing List Archives:<br>
> <a href=3D"http://www.webappsec.org/lists/websecurity/archive/" =
> target=3D"_blank">http://www.webappsec.org/lists/websecurity/archive/</a>=
> <br>
> <br>
> Subscribe via RSS:<br>
> <a href=3D"http://www.webappsec.org/rss/websecurity.rss" =
> target=3D"_blank">http://www.webappsec.org/rss/websecurity.rss</a>
> [RSS Feed]<br>
> <br>
> Join WASC on LinkedIn<br>
> <a href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA" =
> target=3D"_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><o:=
> p></o:p></p>
> 
> </div>
> 
> <p class=3DMsoNormal><o:p> </o:p></p>
> 
> </div>
> 
> </div>
> 
> </body>
> 
> </html>
> 
> ------=_NextPart_000_0166_01CA0592.53082FD0--
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list