[WEB SECURITY] What's the differences between weakness and vulnerability?

Romain Gaucher rgaucher at cigital.com
Sun Nov 6 18:23:16 EST 2011


Matt,
When looking at the threat classification glossary:
  http://projects.webappsec.org/Threat-Classification-Glossary
the definitions are aligned with MITRE's.

The definition you looked at are from the web hacking incident database. I
wasn't aware that the projects used different terminology, but that's
certainly something we would need to fix.


Romain

On 11/6/11 2:35 AM, "matthew chao" <mathewchao at gmail.com> wrote:

>WASC's definition of "weakness": "The underlying vulnerability within
>the application that is exploited." It seem weakness is equal to
>vulnerability, and WASC's Glossary
>(http://projects.webappsec.org/w/page/13246967/The%20Web%20Security%20
>Glossary) doesn't include the terms.
>
>However, according to "http://cwe.mitre.org/about/faq.html#A.1",
>"Software  weaknesses are errors that can lead to software
>vulnerabilities. A software  vulnerability is a mistake in software
>that can be  directly used by a hacker to gain access to a system or
>network.", so they are different concepts.
>
>
>The situation is confused. so what's the differences between weakness
>and vulnerability? thanks!
>
>-Matt
>
>_______________________________________________
>The Web Security Mailing List
>
>WebSecurity RSS Feed
>http://www.webappsec.org/rss/websecurity.rss
>
>Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>WASC on Twitter
>http://twitter.com/wascupdates
>
>websecurity at lists.webappsec.org
>http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.or
>g





More information about the websecurity mailing list