This page serves as a raw scratchpad to record idea's that may be incorporated into future versions of the Threat Classification. Nothing listed on this page is firm or should be utilized in any materials.
* Adding Missing Items
- Insufficient Data Protection
- ?Concurrency Attacks/Race Condition/Timing Attacks?
- ?Insufficient Memory Management? (double free, null pointer, use after free, etc)
- ?Insufficient Password Strength/Weak Password/Weak Password Enforcement?
- XSL/XSLT Injection
- Improper Logging
- Insufficient Key Management
- Improper Normalization? (Unicode)
* Update Existing Sections
-Add crossdomain.xml style issues to application misconfiguration
-Add in depth information on unicode related attacks to improper input/output handling sections
* Adding Impacts
<alpha-draft>
Technical
- Confidentiality
- Integrity
- Availability
Business
- Financial Damage
- Non-compliance
- Privacy violation
- Reputation damage
Customer
</alpha-draft>
* Adding Mitigations
* Reference Metrics
* Add Risk calculation section/reference CVSS better?
* Referencing 'how to test'
* Adding Additional Views
- Our 'Alpha Views' page can be found at http://projects.webappsec.org/Threat-Classification-Views-Working
If you are interested in contributing to the WASC Threat Classification please contact us at contact_at_@webappsec.org with the subject 'WASC Threat Classification Contribution Inquiry'.
Comments (0)
You don't have permission to comment on this page.