Thursday, February 05, 2009

Who's who and what's what

When it comes to standards (de-facto or otherwise), guidance, terminology, and nomenclature, Web security is an exceptionally confusing and daunting environment. People frequently ask, “What is the difference between the OWASP Top Ten and WASC’s Web Security Threat Classification.” “How does the new CWE/SANS Top 25 now fit in?” “Which should I use?” Also common are questions about the differences between organizations such as MITRE, OWASP, SANS, and WASC whose scope seem to overlap from time to time. The lack of clarity makes it difficult for people to decide what organizations they should devote their time to when and what standards are best used for what purpose. I’m going to do my best to organize and describe some of the more focused terminology/standard/framework public initiatives and how they differ. By no means an exhaustive list.

Web Application Security Consortium (WASC)
An international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.

A group of industry leading Web security experts whose membership are elected through a meritocracy based system. WASC tends to initiate projects that are of significant importance to Web Security, require high degree of domain expertise, and depend upon a wide collective involvement of key participants -- such efforts not easily performed by wide-open community groups. Upon release these projects are exceptionally well peer reviewed, provide quality results, and typically become immediately supported by the industry at large.

Web Application Firewall Evaluation Criteria (WAFEC)
An industry standard testing criteria for evaluating the quality of web application firewall solutions. The goal of this project is to develop a detailed web application firewall evaluation criteria; a testing methodology that can be used by any reasonably skilled technician to independently assess the quality of a WAF solution.

Web Application Firewalls (WAF) can be an extremely complex set of technology and difficult to evaluate in fair and straightforward manner. The WAFEC v1 provides a framework for how WAFs may be compared and what areas are most important to focus on. Not a product review in and of itself, it’s instead a guideline to follow. A version 2 update should begin sometime early this year.

Web Application Security Scanner Evaluation Criteria (WASSEC)
A set of guidelines to evaluate web application security scanners on their identification of web application vulnerabilities and its completeness. It will cover things like crawling, parsing, session handling, types of vulnerabilities and information about those vulnerabilities. This document shall evaluate the technical aspects of the web application security scanners and NOT the features provided by it. This document should define the minimum criteria to be followed by a web application scanner.

Similar to WAFEC, the Web application vulnerability scanners can be exceptionally complex and difficult to evaluate. The WASSEC, currently in active development, provides framework for how scanners may be compared and what areas should be focused upon. This is not a product review exercise, but instead a guideline to follow, perhaps to perform such reviews.

Web Security Threat Classification (WASC-TC)
A cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues.

An extremely comprehensive taxonomy of all the Web-based attacks a website might expect to endure, with a strong emphasis on agreed upon terminology, definition, and structure. The Threat Classification may be considered a superset to the OWASP Top Ten. The content has been heavily vetted and is widely supported by vulnerability scanners, Web application firewalls, consultants, and enterprises. The TC purposely left out notions or vulnerability prevalence and default severity rating. Version 2 is presently in active development and nearing completion, expected to be a substantial improvement upon the original.

Open Web Application Security Project (OWASP)
The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.

An organization focused largely on the software development aspects of Web Application Security, spanning across several continents through locally organized member chapters and conferences, and enjoys a large membership base. OWASP is an excellent resource for developers and security practitioners, especially those who are new to Web Security and looking to get engaged with like-minded peers working on similar efforts.

Top Ten
Provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.

Designed to be an awareness building document, the Top Ten list is a combination of Web-based vulnerability prevalence tempered by expert analysis taking likely impact and exploitation into consideration. The Top Ten is not mean to be comprehensive or foundation of any standards, however it is cited as such in the PCI-DSS standard. Technically the document should be considered a subset of the Web Security Threat Classification. For security managers requiring something simple to pass around to upper management or developer groups unaccustomed to Web security, this is a great resource.

A not-for-profit organization chartered to work in the public interest. As a national resource, we apply our expertise in systems engineering, information technology, operational concepts, and enterprise modernization to address our sponsors' critical needs.

Provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design.

A dictionary of software weakness terminology intended for developers and security practitioners. While CWE includes many aspects of Web security, its scope is much larger. In many ways this can be considered a superset of the WASC Threat Classification, even while the terminology might not map identically. Expect an increasing number of industry projects and standards to adopt this nomenclature when discussing security topics or organizing and naming findings.

A dictionary of publicly known information security vulnerabilities and exposures. CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.

Publicly disclosed vulnerabilities in commerical and open source software are captured by CVE in a dictionary with numbered identifiers. CVE does not include vulnerabilities in custom web applications. Most network vulnerability scanners will map their finding to CVE IDs.

CWE/SANS Top 25 Most Dangerous Programming Errors (2009)
A list of the most significant programming errors that can lead to serious software vulnerabilities. They occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

MITRE (via CWE) and SANS (via SANS Top 20) joined forced to create a Top 25 list out of the hundreds of issues listed within the CWE. About half of the list is Web-based, roughly similar to the OWASP Top Ten, and rest deal with memory handling issues common to commercial and open source software. Again, not meant to be comprehensive, only a list of the more common and damaging issues. Think OWASP Top Ten in focus, but for all software types.

Established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world.

Top 20
A consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; the Internet Storm Center, and many other user organizations.

The “20” seems to be a misnomer now, the list is segmented into a variety of categories including client-side, server-side, network devices, etc. Each category lists a handful of major pressing threats that are a combination of prevelance, likely severity and odds of exploitation based upon an analysis of experts. For instance, in “ Web Applications “ listed is is PHP Remote File Includes, SQL Injection, Cross-Site Scripting, and Cross-Site Request Forger. Not meant to be comprehensive, but certainly things not to be overlooked. The 2008 release is expected to be forthcoming.


Anonymous said...

Nice summary and visual. You might consider adding MITRE's CAPEC ( It basically ties together CWEs into higher-level attack patterns.

Anonymous said...

Hi Jeremiah,

I recently published something similar to this but just with OWASP, WhiteHatSec and Sans.

I had created a matrix to show how everyones "top X" lists map to each other if you use a small set of secure development principles.

My work can be found here:


Jeremiah Grossman said...

Hey David, this is good work and sorely needed. Have you thought about conducting a full mapping between the relevant taxonomies? I'm sure at least a couple people wouldn't mind helping out.

Jim Manico said...

OWASP really needs (at least) 6 bubbles in there!

6. OWASP Legal Project (Secure Software Contracts for Developers and their Clients)


4. OWASP Application Security Verification Standard

3. OWASP Code Review Guide

2. OWASP Developers Guide

1. OWASP Coders Security Library for Java, PHP, .NET, ASP and Haskel (ESAPI - FOSS
Enterprise Security API)

Unknown said...

To make decisions on growing threat to the safety, architects and developers require the calculation of privacy, reliability and requires the availability of their applications. In short, we must use the classification category secure web application development.

chamber of commerce