Using the Threat Classification


 

The Threat Classification v2.0 outlines the attacks and weaknesses that can lead to the compromise of a website, its data, or its users. This document primarily serves as a reference guide for each given attack or weakness and provides examples of each issue as well as helpful reference material. This document is utilized by many organizations and is typically used in the following ways.

 

Reference material

The TC is created and reviewed by industry experts with years of experience. The primary use is as a reference guide that can be included in security reports, security defects, presentations, and more. The TC content appears is numerous books, security products, and 3rd party security classification systems. The following is a partial list of companies and products utilizing the Threat Classification

 

 

 

Security Assessment Checklist:

If you are performing a security review against an application the TC serves as an enumeration of the threats which can be used to build a security focus/test plan.

 

Bug tracking:

One way people use this document is to gather metrics on the security defects affecting their organization. When filing security defects into your bug tracking system you can assign the weakness or attack to a given bug to identify the frequency of specific threats to your organization.

 

If you have another use for the TC not outlined here please contact us (contact @ webappsec.org) with the subject ‘WASC Threat Classification Inquiry’, we'd love to hear from you.