[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS
robert at webappsec.org
robert at webappsec.org
Thu Jul 16 13:51:54 EDT 2009
> > An issue I have with mitre's CAPEC/CWE projects is that it is FAR to
> > extensive for everyday use but are excellent for academic purposes,
> > products, and training. To be clear I love mitre's work and it is far
> > more extensive than anything out there, but I feel that it isn't very
> > 'digestable' by people such as product managers, QA engineers, or even
> > developers looking to understand why they need to fix issue x at least
> > in my personal experiences.
>
> Definitely agree on this. We try to provide alternate views into portions
> of CWE data (e.g. the Development View at
> http://cwe.mitre.org/data/graphs/699.html) but we haven't figured out how
> best to present these kinds of views - or even simpler ones. The
> Development View is a bit of a hodegepodge and needs some maintenance, but
> it has lots of different categories that are more centered around how
> non-security people may think, such as CWE-376 Temporary File Issues,
> CWE-465 Pointer Issues, and CWE-442 Web Problems.
This is certainly a really hard problem to solve as the audience/document usage
can vary widely. We liked mitre's take on not locking into a single structure/concept,
and instead providing the raw data and creating 'views' of that data to demonstrate
different concepts.
This has the advantage of
- Expanding the document scope/not limiting what can be included
- Not limiting the inclusion of items simply because they don't fit well, or
having to create a dirty concept because those items really need to be included
but don't fit into logical locations.
> A dream is to someday provide an interactive graphical browser that lets
> people expand and contract entries, follow various relationships, etc.
That would be cool! :)
Regards,
- Robert Auger
http://www.webappsec.org/
http://www.cgisecurity.com/
http://www.qasec.com/
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list