[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Classification & MECE frameworks
Mark et al -- Perhaps this is jumping the gun a bit, but I wanted to offer a thought on classification of app security issues. With regard to classification of problem spaces generally, it is common practice in the management consulting world to define taxonomies that are mutually exclusive and collectively exhastive (aka MECE frameworks). This is essentially a tree structure, in which the problem at hand is succesively broken down into its component parts as the tree gets 'deeper'. MECE frameworks enable summary reporting and roll-ups, while allowing ad hoc deep-dives. A key tenet of MECE design is to ensure that each level does not contain excessive detail. This generally means that at most, levels contain no more than 6-10 subtopics. The other point to remember is that topics can't overlap -- this is the 'ME' part. In @stake's case, for app vulnerability classification we started with the OWASP Application Security Attack Components as a straw man MECE framework. We then modified it a bit to give it a bit more 'balance' and topic completeness. We also simplified some of the jargon for the higher-level topics so that executives could better understand them. The resulting MECE framework uses 9 high level categories and 56 lower-level ones. In particular, the high-level web app sec categories we used were: - Administrative interfaces - Authentication & access control - Configuration management - Cryptography - Information gathering - Input validation - Parameter manipulation - Sensitive data handling - Session management I'd be happy to contribute the framework to the group if folks would find it helpful. Best, -- Andrew Jaquith Program Director @stake, Inc. 196 Broadway Cambridge, MA 02139 USA Direct: 617.768.2711 Mobile: 617.501.3278 Fax: 617.621.1478 Email: ajaquith@atstake.com PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x898CF546
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]