[WEB SECURITY] What's the differences between weakness and vulnerability?

Romain Gaucher rgaucher at cigital.com
Sun Nov 6 18:23:16 EST 2011

When looking at the threat classification glossary:
the definitions are aligned with MITRE's.

The definition you looked at are from the web hacking incident database. I
wasn't aware that the projects used different terminology, but that's
certainly something we would need to fix.


On 11/6/11 2:35 AM, "matthew chao" <mathewchao at gmail.com> wrote:

>WASC's definition of "weakness": "The underlying vulnerability within
>the application that is exploited." It seem weakness is equal to
>vulnerability, and WASC's Glossary
>Glossary) doesn't include the terms.
>However, according to "http://cwe.mitre.org/about/faq.html#A.1",
>"Software  weaknesses are errors that can lead to software
>vulnerabilities. A software  vulnerability is a mistake in software
>that can be  directly used by a hacker to gain access to a system or
>network.", so they are different concepts.
>The situation is confused. so what's the differences between weakness
>and vulnerability? thanks!
>The Web Security Mailing List
>WebSecurity RSS Feed
>Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>WASC on Twitter
>websecurity at lists.webappsec.org

More information about the websecurity mailing list