WASC Threat Classification v2.0 FAQ

Below is a list of frequently asked questions pertaining to the WASC Threat Classification. If you have a question not listed here please fill out the comment form below and someone will get in touch with you.

What is new in the Threat Classification v2?

* Expanded Mission Statement

* Clarified terminology

* Proper Classification of threats into Attacks and Weaknesses for static/core view

* Base foundation allowing for the introduction of views into future releases.

How can I use the Threat Classification?

The main use of the Threat Classification is as industry expert authored reference material. All TC sections have been thoroughly peer reviewed line by line to achieve the highest state of quality and accuracy. Please visit our page on Using the Threat Classification for how you can use the TC.

What happened to the old Threat Classification v1 structure?

The short answer is that the old structure wasn't firmly based on a set of rules and prevented us from expanding it. Additionally it was very limited in how the TC could be used.  Please visit the Threat Classification's Evolution page for a detailed explanation.

What are data views?

Views are different ways to represent the same core set of data. The original Threat Classification v1 structure could be considered one way to represent  attacks and weaknesses. Views are useful for conveying specific points and allow the core set of data to be used for different purposes.

What terminology is the TC using?

Please visit our terminology section for the definitions used throughout the TC.

Will the TC ever implement mitigations?

We're currently discussing introducing mitigations to future versions of the TC. At this time we don't have a schedule for when they will be included.

How was the TC created?

The Threat Classification was created in an open source group setting made up by industry experts in the security field. Each section was authored and received weeks of peer review in a public setting to ensure accuracy and clarity for each issue.

Is this a replacement for CWE/CAPEC?

Absolutely not. The work done by the MITRE folks is far more comprehensive than anything online. The TC serves as a usable document for the masses (developers, security professionals, quality assurance) whereas CWE/CAPEC is more focused for academia. There is a mailing list thread discussing some of the differences between CWE/CAPEC/WASC.

I'd like to contribute, how can I?

Comments and discussions regarding the WASC TC may be directed publicly on our mailing list 'The Web Security Mailing List' at http://www.webappsec.org/lists/websecurity/. Those wishing to provide private feedback may reach us at contact at webappsec.org with the subject 'WASC TC Inquiry' and we hook you up with how to contribute.

Who is the project leader?

The TCV2 and current project leader is Robert Auger. The original TCv1 project leader was Jeremiah Grossman.

Just who worked on the Threat Classification?

Many, many people worked on the TC. Check out the Threat Classification Authors and Contributors page for a full list.

I'd like to reference a specific TC item, how can I do this?

The TCv2 has introduced static reference identifiers for each item. You can see the entire list of identifiers at this page, or you can click on an individual item and see the identifier at the top of the section.

When will the next update to the TC be?

Updating the TCv1 to TCv2 was a monumental effort. We're going to be taking a few months off before performing additional updates. Chances are we'll restart the project in mid 2010.

You seem to be missing a few things, why is that?

Due to the enormous effort of this project there were a few things we intentionally are delaying until the next update of the TC. In particular topics surrounding data encryption, key management, unicode, and logging are being deferred until a future release. We have created a page at http://projects.webappsec.org/Threat-Classification-Future outlining things will will be included in future versions of the TC. If you see something missing that you'd like please let us know at the form at the bottom of the Threat Classification Future page.

What will be included in the next release of the TC?

We have created a working page at http://projects.webappsec.org/Threat-Classification-Future which will outline our plans for the next release. The next release of the TC will be including content around cryptograph based attacks and weaknesses.

What license is the TC using?

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit  http://creativecommons.org/licenses/by/3.0/ or send a letter to: Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.