[WEB SECURITY] websecurity Digest, Vol 11, Issue 5

Pete Herzog lists at isecom.org
Mon Nov 7 06:46:15 EST 2011


Security does suffer from inconsistent taxonomy however that 
inconsistency lies across methods and not within a method. I know 
OSSTMM, also being a complicated piece of work, does occasionally have 
a similar problem due to old versions of definitions from a previous 
method clashing with the updated version. I'm sure this here is no 

What's important is that vulnerabilities, weaknesses, concerns, and 
other such words within a subject have a factual basis rather than 
come from an ideology. So if we want to say "weakness" we can do so by 
framing the method from where it comes. And that word has a definite 
function within that method. For example, if I said I was "depressed", 
that word unframed takes the colloquial meaning of "sad". However if 
it was framed as I was "diagnosed as clinically" _depressed_ then it 
takes a whole new meaning within a method where depression describes a 
function of associated operations (symptoms). Just like if Godzilla 
talked to other monsters about being depressed after having depressed 
a large number of people, they would know he speaks of the method of 
stepping upon them until they submerge in the ground, which is a 
specific operation within the function of being a rather large-sized 

I deliberately made that stupid last sentence to make a point, that 
any method can and should use a specific term only if that term has a 
clear function or operation within a function regardless of the 
industry or science. Being a nascent industry, taxonomy in network and 
application security is borrowed from other industries and people 
argue over that taxonomy as if other industries, like psychology, 
haven't already encountered this issue before. And the more you 
research and invent within this industry the more problems you're 
going to have finding the right words to mean what you want to say. 
The OSSTMM 3 is a huge example of that. So what's important is to 
always frame your vocabulary as you speak and be forgiving of how 
others use their vocabulary because in network and application 
security, we're all non-native speakers.

That said, pragmatically, any control can be weak (or have a weakness) 
if it does what it's supposed to do but does so poorly. Someone 
mentioned "only" encryption. But I think authentication with a poor 
password is also weak. Or indemnification with no teeth. Or integrity 
verifying the wrong changes. Or alarm with a slow response. Etc.


Pete Herzog - Managing Director - pete at isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

More information about the websecurity mailing list