• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Threat-Classification-Future

Page history last edited by Robert Auger 14 years ago

This page serves as a raw scratchpad to record idea's that may be incorporated into future versions of the Threat Classification. Nothing listed on this page is firm or should be utilized in any materials.

 

* Adding Missing Items

     - Insufficient Data Protection

     - ?Concurrency Attacks/Race Condition/Timing Attacks?

     - ?Insufficient Memory Management? (double free, null pointer, use after free, etc)

     - ?Insufficient Password Strength/Weak Password/Weak Password Enforcement?

     - XSL/XSLT Injection

     - Improper Logging

     - Insufficient Key Management

     - Improper Normalization? (Unicode)

 

* Update Existing Sections

     -Add crossdomain.xml style issues to application misconfiguration

     -Add in depth information on unicode related attacks to improper input/output handling sections

 

* Adding Impacts

<alpha-draft>

Technical
  • Confidentiality
  • Integrity
  • Availability
Business
  • Financial Damage
  • Non-compliance
  • Privacy violation
  • Reputation damage
Customer
  •      Identity Theft?

</alpha-draft>

 

* Adding Mitigations

* Reference Metrics

* Add Risk calculation section/reference CVSS better?

* Referencing 'how to test'

* Adding Additional Views

  - Our 'Alpha Views' page can be found at http://projects.webappsec.org/Threat-Classification-Views-Working

 

If you are interested in contributing to the WASC Threat Classification please contact us at contact_at_@webappsec.org with the subject 'WASC Threat Classification Contribution Inquiry'.

Comments (0)

You don't have permission to comment on this page.