[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

robert at webappsec.org robert at webappsec.org
Thu Jul 16 13:51:54 EDT 2009

> > An issue I have with mitre's CAPEC/CWE projects is that it is FAR to
> > extensive for everyday use but are excellent for academic purposes,
> > products, and training. To be clear I love mitre's work and it is far
> > more extensive than anything out there, but I feel that it isn't very
> > 'digestable' by people such as product managers, QA engineers, or even
> > developers looking to understand why they need to fix issue x at least
> > in my personal experiences.
> Definitely agree on this.  We try to provide alternate views into portions
> of CWE data (e.g. the Development View at
> http://cwe.mitre.org/data/graphs/699.html) but we haven't figured out how
> best to present these kinds of views - or even simpler ones.  The
> Development View is a bit of a hodegepodge and needs some maintenance, but
> it has lots of different categories that are more centered around how
> non-security people may think, such as CWE-376 Temporary File Issues,
> CWE-465 Pointer Issues, and CWE-442 Web Problems.

This is certainly a really hard problem to solve as the audience/document usage
can vary widely. We liked mitre's take on not locking into a single structure/concept,
and instead providing the raw data and creating 'views' of that data to demonstrate
different concepts.

This has the advantage of 
- Expanding the document scope/not limiting what can be included
- Not limiting the inclusion of items simply because they don't fit well, or
having to create a dirty concept because those items really need to be included
but don't fit into logical locations.

> A dream is to someday provide an interactive graphical browser that lets
> people expand and contract entries, follow various relationships, etc.

That would be cool! :)

- Robert Auger

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list