OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Interesting papers about vulnerability classification and a possible proposal to move forward

As I am still trying to get my head around this classification problem we
are working through and I started searching the web for abstracts about
other projects for experience of how others have dealt with it. There are
some wise thoughts from Matt Bishop in the following two papers



I am leaning (tonight) to thinking the approach suggested in both of
essentially decomposing vulnerabilities into characteristics and organizing
them into a thesaurus that can be used for classifiying issues seems to
resonate with what we are trying to do and would work the best. Essentially
we would group vulnerabilities with "like" characteristics. The
characteristics could be used to create classification schemes.

Essentially this is not a million miles from the original OWASP ASAC.

Characteristics Maybe;

            Modify Existing Requests
            New Requests

Attack Surface
            System Boundary
            Component Boundary
            Source Code

            Application Component
            Infrastructure Component

            Denial of Service
            Elevated Privileges
            Transfer of Trust
            Spoofed Identity
            Revelation of Additional Data
            Security Requirements Fail

The groups maybe ;

Logic Conditions

Boundary Validation


            Modified Existing Requests

                        SQL Injection

LDAP Injection

OS Command Injection

Script Injection

            HTML Injection

                        XSS to call JS



            ASP Scripts

            PHP Scripts

Addition to Existing Requests

Directory TRaversal

New Requests

Infrastructure Configuration Management

            Insecure Default Configurations

            Security Patches

            Exposed Administration Interfaces

User Privacy

Session Management

            Session Timeout

            Session Hi-Jacking

Access Control



Data Protection


            Transport Security

Buffer Overflows

            Heap Overflow

            Stack Overflow

            Format String

Race Conditions

What do people think of this idea ?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]