[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Interesting papers about vulnerability classification and a possible proposal to move forward
As I am still trying to get my head around this classification problem we are working through and I started searching the web for abstracts about other projects for experience of how others have dealt with it. There are some wise thoughts from Matt Bishop in the following two papers http://downloads.securityfocus.com/library/1996-nissc-vn.pdf http://seclab.cs.ucdavis.edu/secsem2/09-01-99-Matt/matt.ppt I am leaning (tonight) to thinking the approach suggested in both of essentially decomposing vulnerabilities into characteristics and organizing them into a thesaurus that can be used for classifiying issues seems to resonate with what we are trying to do and would work the best. Essentially we would group vulnerabilities with "like" characteristics. The characteristics could be used to create classification schemes. Essentially this is not a million miles from the original OWASP ASAC. Characteristics Maybe; Techniques Modify Existing Requests New Requests Attack Surface System Boundary Component Boundary Source Code Target Application Component Infrastructure Component User Consequences Denial of Service Elevated Privileges Transfer of Trust Spoofed Identity Revelation of Additional Data Security Requirements Fail The groups maybe ; Logic Conditions Boundary Validation Canonicalization Modified Existing Requests SQL Injection LDAP Injection OS Command Injection Script Injection HTML Injection XSS to call JS JavaScript XSS ASP Scripts PHP Scripts Addition to Existing Requests Directory TRaversal New Requests Infrastructure Configuration Management Insecure Default Configurations Security Patches Exposed Administration Interfaces User Privacy Session Management Session Timeout Session Hi-Jacking Access Control Authentication Authorization Data Protection Cryptography Transport Security Buffer Overflows Heap Overflow Stack Overflow Format String Race Conditions What do people think of this idea ?
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]