Monday, January 19, 2009

CWE Top 25 vs. OWASP Top 10 vs. WASC Classification

"In the theater of the mind, the tone-deaf has the perfect pitch"
Recently some of you that participate in the mailing lists around web application security may have seen a bit of an avalanche of thread activity around a topic we all hold dear to our hearts. The Top x programming mistakes, or vulnerabilities, or defects, or whatever - we love them until they're used as a "standard".
Up until recently, there were essentially 2 separate and divergent (although partially agreeable) taxonomies of "Top vulnerabilities" in code (mainly focusing on web applications) - but now there is a 3rd contender. I'll briefly break them down, give you my opinions (of course!), and give you a chance to form some original thoughts... hopefully you can all form some original thoughts?

First, off, the OWASP Top 10 project, a project from OWASP (Open Web Application Security Project) was the gold standard for the top 10 web-code-borne vulnerabilities out there. Near as I can tell the first official version was published way, way back in 2004... before the clones came.

Then there is the WASC (Web Application Security Consortium) project called the WASC Threat Classification was version 1.00 around the same time in 2004, and has a last-update date of Nov. 29th, 2005. This is all well and good, and it's even nice to have 2 slightly different views or perspectives... a differing opinion from experts is always a good thing - that's why we go get a 2nd opinion from doctors right?

Now, there is the new one. But before I go there, allow me to list the "Top x" from the two previous...

OWASP Top 10 (as of 2007 revision)
  1. Cross-Site Scripting (XSS)
  2. Injection Flaws
  3. Malicious File Execution
  4. Insecure Direct Object Reference
  5. Cross-Site Request Forgery (CSRF)
  6. Information Leakage and Improper Error Handling
  7. Broken Authentication and Session Management
  8. Insecure Cryptographic Storage
  9. Insecure Communications
  10. Failure to Restrict URL Access
WASC Top Threats (as of v.1.00 (2004) revision)
  1. Authentication
  2. Authorization
  3. Client-side Attacks
  4. Command Execution
  5. Information Disclosure
  6. Logic Attacks
No matter how you look at these... they are essentially the same vulnerabilities classified differently into groups. There isn't really anything revolutionary, except for how you group vulnerabilities logically... now let's move on, keeping in mind that these two are focused on web application security vulnerabilities (defects, dammit, defects!). I will insert one thing of my own thought here, and I know lots of people will agree that the WASC Threat Classification is a little more complete, while (as a friend put it) OWASP is a sub-set of the WASC list. But that's another discussion.

Recently we were all alerted to the MITRE CWE Top 25. It's not a list of the most common vulnerabilities, rather, it approaches the idea from the perspective of the most common mistakes programmers make. I rather think this is a novel approach... but there is a problem. The CWE Top 25 breaks down into 3 separate categories like so...
  1. Insecure Interaction Between Components
  2. Risky Resource Management
  3. Porous Defenses there you have it - these are the 3 big families of mistakes programmers make. Ideally, the OWASP Top 10, and the WASC Threat Classes would nicely map into these mistakes... but unfortunately life's just not that easy - and I think this is where the conversation gets sideways and people start to lose their temper.

{ begin opinion }
I like this new document, personally. I know, this shocks lots of you reading this... but I've thought about it and I really do like it. It's written to developers and architects so it takes out a lof of the flowery security-specific language we all have grown to love. It also has a ranking of Weakness Prevalence, Remediation Cost, Attack Frequency, Consequences, Ease of Detection and Attacker Awareness... which I think serves to help developers figure out what things to focus on (based on how dangerous these mistakes are). There is a discussion section, and a Prevention and Mitigations section too... nicely wrapped up in a bow. Where everything has gone to hell in a flower-baseket is when entities such as large corporations try to use a document like this as a measuring-stick, or a "do you detect these issues" line-item on an RFP. See where I'm going with this?

This is a developer's guide to what they're doing wrong, and will now be a 3rd standard to check against... to make sure developers aren't making these sorts of mistakes. It'll be chaos as this mentality forces the 3 classifications listed here to essentially compete which is wrong - as each has their own purpose! Why not, instead of writing a totally new document like this one, write a comprehensive document that speaks to managers, executives, developers and security professionals... is that so hard? (actually yes, yes it is).

So that's what I think. I like the CWE Top 25... and if it actually leads to better software, so be it - I'm still not holding my breath.
{end opinion}

Next I'll tackle the question of whether the CWE Top 25 should be used like this... New York Drafts Language Demanding Secure Code. I want your opinions!


Andre Gironda said...

CWE Top 25 is based on CWE, which are software weaknesses. OWASP T10-2007 is also based on CWE and MITRE data, and it also consists of software weaknesses.

WASC TC 1.0 or even 2.0 is based on attack paths. It is similar to MITRE CAPEC. Comparing it to CWE or OWASP T10 is a waste of time.

Rafal said...

Nice to hear from you, been a while... and actually that's a wonderful point. What has been talked about extensively is a comparison between the three, without any thought to their base or purpose.

Thanks for the contribution.

Robert said...


The WASC TC v2 has been redefined and has the following new mission statement.

"The Threat Classification is an effort to classify the weaknesses, and attacks that can lead to the compromise of a website, its data, or its users."

Also the WASC TC predates CAPEC and CWE I believe. The new version is roughly 48 items compared to the previous 24 from the 2004 version.

Rafal said...

@Robert - Thank you for the clarification. Always appreciate the update...