log inhelp

  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Threat Classification Development View

Page history last edited by Robert Auger 14 years, 3 months ago

 

Threat Classification 'Development Phase View'

This WASC Threat Classification view was created to loosely outline where in the development lifecycle a particular type of vulnerability is likely to be introduced.  This view was created in an attempt identify common root occurrences/development phases for vulnerability introduction, and does not attempt to address improperly patched servers, or enumeration of edge cases. This view makes use of many to many relationships.

 

Definitions

Design: Covers vulnerabilities that are likely to be introduced due to a lack of mitigations specified in the software design/requirements, or due to a poorly/improperly defined design/requirement.

Implementation: Covers vulnerabilities that are likely to be introduced due to a poor choice of implementation.

Deployment: Covers vulnerabilities that are likely to be introduced due to poor deployment procedures, or bad application/server configurations.

 

 

Grid Representation:

Vulnerability Design Implementation Deployment
Abuse of Functionality X    
Application Misconfiguration   X X
Brute Force X X  
Buffer Overflow   X  
Content Spoofing   X  
Credential/Session Prediction   X  
Cross-Site Scripting   X  
Cross-Site Request Forgery X X  
Denial of Service X X  
Directory Indexing     X
Format String   X  
HTTP Response Smuggling   X  
HTTP Response Splitting   X  
HTTP Request Smuggling   X  
HTTP Request Splitting   X  
Integer Overflows   X  
Improper Filesystem Permissions   X X
Improper Input Handling   X  
Improper Output Handling   X  
Information Leakage X X X
Insecure Indexing   X X
Insufficient Anti-automation X X  
Insufficient Authentication X X  
Insufficient Authorization X X  
Insufficient Password Recovery X X  
Insufficient Process Validation X X  
Insufficient Session Expiration X X X
Insufficient Transport Layer Protection X X X
LDAP Injection   X  
Mail Command Injection   X  
Null Byte Injection   X  
OS Commanding   X  
Path Traversal   X  
Predictable Resource Location   X X
Remote File Inclusion (RFI)   X X
Routing Detour     X
Server Misconfiguration     X
Session Fixation   X X
SQL Injection   X  
URL Redirector Abuse  X X  
XPath Injection   X  
XML Attribute Blowup   X  
XML External Entities   X  
XML Entity Expansion    X  
XML Injection   X  
XQuery Injection   X  

 

Tree Representation:

 

Design

 

Implementation

 

Deployment

 

Comments (0)

You don't have permission to comment on this page.

Printable version