[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

Steven M. Christey coley at linus.mitre.org
Thu Jul 16 12:30:23 EDT 2009

On Wed, 15 Jul 2009 robert at webappsec.org wrote:

> An issue I have with mitre's CAPEC/CWE projects is that it is FAR to
> extensive for everyday use but are excellent for academic purposes,
> products, and training. To be clear I love mitre's work and it is far
> more extensive than anything out there, but I feel that it isn't very
> 'digestable' by people such as product managers, QA engineers, or even
> developers looking to understand why they need to fix issue x at least
> in my personal experiences.

Definitely agree on this.  We try to provide alternate views into portions
of CWE data (e.g. the Development View at
http://cwe.mitre.org/data/graphs/699.html) but we haven't figured out how
best to present these kinds of views - or even simpler ones.  The
Development View is a bit of a hodegepodge and needs some maintenance, but
it has lots of different categories that are more centered around how
non-security people may think, such as CWE-376 Temporary File Issues,
CWE-465 Pointer Issues, and CWE-442 Web Problems.

We also have visualizations at http://cwe.mitre.org/data/pdfs.html but
these still capture large numbers of problems.

A dream is to someday provide an interactive graphical browser that lets
people expand and contract entries, follow various relationships, etc.

> Also people performing security testing aren't going to go through a
> 700+ item list and check off what they've looked for/need to look for
> when building a threat model/security testing plan.

CWE has abstraction labels for each Weakness entry.  While these aren't
perfect, one could look for CWE items at the "Class" (and maybe "Base")
level of abstraction, which would narrow down the 700 to more manageable
numbers.  Navigating a couple levels down in the Research View
(http://cwe.mitre.org/data/graphs/1000.html) may also be informative.

Again, I recognize that we don't present this stuff well, especially for
people who don't need to be thorough.

- Steve

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list