[WEB SECURITY] What's the differences between weakness and vulnerability?

Rohit Sethi rklists at gmail.com
Sun Nov 6 14:58:07 EST 2011


Matthew, you're unlikely to find the authoritative answer you're
looking for. Some food for thought - the Common Weakness Enumeration
(CWE) lists types of security issues present in software (eg sql
injection) whereas the Common Vulnerabilities and Exposures (CVE)
lists instances of those weaknesses in a specific software package (eg
sql injection in app xyz version 3.2).

On 11/6/11, matthew chao <mathewchao at gmail.com> wrote:
> WASC's definition of "weakness": "The underlying vulnerability within
> the application that is exploited." It seem weakness is equal to
> vulnerability, and WASC's Glossary
> (http://projects.webappsec.org/w/page/13246967/The%20Web%20Security%20
> Glossary) doesn't include the terms.
>
> However, according to "http://cwe.mitre.org/about/faq.html#A.1",
> "Software  weaknesses are errors that can lead to software
> vulnerabilities. A software  vulnerability is a mistake in software
> that can be  directly used by a hacker to gain access to a system or
> network.", so they are different concepts.
>
>
> The situation is confused. so what's the differences between weakness
> and vulnerability? thanks!
>
> -Matt
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>

-- 
Sent from my mobile device

Rohit Sethi
SD Elements
http://www.sdelements.com
twitter: rksethi




More information about the websecurity mailing list