[WEB SECURITY] What's the differences between weakness and vulnerability?

matthew chao mathewchao at gmail.com
Sun Nov 6 03:35:05 EST 2011


WASC's definition of "weakness": "The underlying vulnerability within
the application that is exploited." It seem weakness is equal to
vulnerability, and WASC's Glossary
(http://projects.webappsec.org/w/page/13246967/The%20Web%20Security%20
Glossary) doesn't include the terms.

However, according to "http://cwe.mitre.org/about/faq.html#A.1",
"Software  weaknesses are errors that can lead to software
vulnerabilities. A software  vulnerability is a mistake in software
that can be  directly used by a hacker to gain access to a system or
network.", so they are different concepts.


The situation is confused. so what's the differences between weakness
and vulnerability? thanks!

-Matt




More information about the websecurity mailing list