Software Threat Taxonomy Confusion

You say Potato, I say Potato…

First, we had the OWASP Top Ten, then the WASC Threat Classifications, now  CWE/SANS joins the fray with their ‘Top 25 Most Dangerous Programming Errors

I’m glad to see Washington engaging and educating on the software security problem, it will be interesting to see how aligned or competitively they perform.

Do you think this new list will help clarify appsec issues, or create more doublespeak?


8 Responses to “Software Threat Taxonomy Confusion”

  1. Marcin Says:

    Umm, Mitre has been around longer (like 5x) than OWASP and WASC combined.

    OWASP Top 10 grew out of the CWE project, and WASC Threat Classifications aren’t really “threats”, but “attack vectors’.

    Now who’s confusing who, but I guess you’re just calling them out on their “Top X” list. 🙂

  2. romain Says:

    Well, there is a different between all these classification/enumeration. Especially, I believe they are not targeting the same audience… (from managers with top ten, to mostly developers/(sec. consultant) for sans/mitre…)

  3. treyford Says:

    Marcin- so good to hear from you! I guess my intent behind the post was to get conversations started, bringing visibility to how each of these lists need to be leveraged and seen as constructive (sometimes I err on the side of stirring the pot I suppose).

    Historically, you are completely correct- MITRE has been around forever. When I think of communicating web software vulnerabilities, and really focusing on the improving website security- I think OWASP, WASC, and now MITRE.

    I’m over due for a trip to NY- hope to see you soon!

  4. John C Says:

    My problem with this list is that it isn’t anything new. Most of those problems appear in books like How to Break Software Security and 19 Deadly Sins. The new-ish ones, not in those books, are web ones which are on the OWASP list. Why do we need yet another list?

  5. Rafal Los Says:

    @John C:
    Isn’t the fact that these Top 25 are all re-hashes of old stuff a little telling in itself? Programmers are making the same mistakes, same errors, same egregious sins over and over and over again, whether we apply it to web applications, old-time Fortran code, C/C++… same mistakes over and over.

    That being said, I seem to recall someone on a blog post rather recently commenting on the outside chance that we’re making the same mistakes we made back in the Cobol days, only now extending them to the web… thus amplifying their nastiness.

    When man does not learn from his past, he is doomed to repeat it…

  6. John C Says:

    @Rafal Los:
    Oh it is absolutely telling but I don’t think yet another list is going to help. To me this list seems to be “bad dev, no cookie” when I think more of the blame resides with the Institutes of Learning that fail to address this when people are learning to create software. Devs focus on getting it working so it can ship at the ridiculous ship date. Until they are taught the secure way from the beginning and/or organizations make security a priority nothing will change.

  7. Kiran Says:

    I was trying to find an exhaustive list of emerging bugs and threats and I came across your article hence this is more of a question than a comment…
    Is there a single source where I can find about all the threats than the vulnerabilities? or which of the lists is more dependable.

  8. Sofien BEJI Says:

    To Kiran
    An answer to your question about Threats and vulnerabilities. You can find an ontology of information security by Almut Herzog. There, you have a good conceptualization of several relevenat concept of information security that deal with vulnerability, Threat and countermeasure.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: