Professional Documents
Culture Documents
Jesper Jurcenoks
Director, Research
Chief Evangelist
June, 2013
Technical Whitepaper
2013
Abstract
Correlating vulnerabilities, weaknesses and threats across not only different vendors but also
different security industries is becoming increasingly complex with the proliferation of common
security categorization systems. How can security practitioners know if their IPS has been
configured to protect against all known vulnerabilities? In one of our most recent research
projects, Critical Watch has reviewed past taxonomy challenges and updated mapping
corollaries to meet todays security intelligence needs.
To create current mapping, existing standards and taxonomies were compared and correlated
by hand. The result is a clear picture of OWASP, WASC and CWE mappings correlated for a
unified taxonomy and accurate picture of vulnerability coverage.
Table of Contents
Introduction ........................................................................................................... 3
Methodology ......................................................................................................... 5
Mapping ................................................................................................................ 8
Conclusion ........................................................................................................... 11
Glossary ............................................................................................................... 12
Page |2
Technical Whitepaper
2013
Introduction
In 2010, WhiteHat founder and CTO Jeremiah Grossman, along with well-known Information
Security Engineer Bil Corry, made a provisional mapping between the early release candidate
(RC1) of OWASP Top 10 2010 and the then current WASC list. The mapping is good; however,
(1) the final OWASP release turned out to be slightly different from the release candidate used
by Grossman and Corry and (2) the mappings have not been updated or maintained. The
unmodified Grossman/Corry mapping has since been referenced in a number of other
mappings (i.e. incorporating some of the original shortcomings). The original mapping can be
found here http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-owasptop.html.
The Web Application Security Consortium (WASC) adapted the OWASP release candidate
mappings made by Grossman and Corry and enhanced it with mappings from WASC to CWE
and to Sans Top 25 to make a Matrix that combined OWASP Top 10 from 2010, 2007, and 2004,
with WASC, CWE, CWE/SANS Top 25 2009, and CAPEC. Our research found this mapping to be
the best publicly available mapping between OWASP Top 10, WASC and CWE. You can see the
WASC 2010 mapping here:
http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20
Reference%20View
Unfortunately, the mapping has not been maintained since April 2010, it is not based on the
final OWASP Top 10 2010 and it has certain internal inconsistencies; for example, when Mitre
mappings from OWASP Top 10 to CWE are compared with the WASCs OWASP to CWE via WASC
mapping the results are not always consistent.
The problem for security experts at organizations, security consultants and auditors is: how do I
know if my WAF will protect against the CVE that the PCI ASV found? Has my IPS been
configured to protect against all of OWASP top 10? What about the CWE/Sans Top 25?
Answering these questions in an easy-to-access format became the goal of the Critical Watch
research department. We determined that some of the original mappings could be optimized as
well as new mappings added. In addition to utilizing internal Security Intelligence tools, the
resources cited below were reviewed as part of our findings.
Page |3
Technical Whitepaper
2013
Page |4
Technical Whitepaper
2013
Methodology
Using a spreadsheet, the mappings were made using the following methodology:
Starting with OWASP Top 10 Rc1 from
http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20
Reference%20View, the list was re-numbered and resorted to reflect final version of OWASP Top
Technical Whitepaper
2013
j.
where appropriate. This resulted in an indirect OWASP -> CWE Mapping via WASC.
6) Mitres Mapping from OWASP 2010 directly to CWE was added for Parent CWEs (e.g.; if
an OWASP Weakness was mapped to a Broad CWE parent and a more specific child
CWE in the same family, only then would the parent be included. When the OWASP
Weakness referred to distinct CWE families, the parent of each family would be
included.)
7) The New CWEs added from the Mitre OWASP to CWE mapping was matched to existing
WASC categories under that OWASP Weakness. When an appropriate WASC TC could
not be found, the CWE name was put into the WASC column for description.
8) Mitres Mapping from OWASP 2004 directly to CWE was used to verify existing
mappings for OWASP 2004 Denial of Service and Buffer Overflow but old OWASP - CWE
coverage was not added to the matrix from Mitre unless it was deemed essential.
9) CWE/Sans Top 25 then was added to the matrix, making sure to categorize each CWE
from the CWE/Sans Top 25 into the right OWASP and WASC Threat Categories. When a
WASC could not be found, the CWE name was inserted into the WASC category as
description.
10) CWE/Sans Top 25 on the Cusp (26-41) was added to the matrix. When a child CWE was
directly referenced in the Cusp listing and the parent was already in the Mapping, the
child was still included for completeness.
a. Note: while WASC-41 XML Attribute Blowup is CWE-770, CWE-770 is more than
just XML Attribute blowup which is why CWE/Sans Top 25 #26 is mapped to
WASC-10 Denial of Service.
Page |6
Technical Whitepaper
2013
11) More than 1 CWE per WASC is listed in a few places where it was appropriate.
12) When Owasp Top 10 2013 was released the mapping was updated to reflect the new list
a. OWASP A01 Injection was left Unchanged
b. OWASP 2010 A03 became OWASP 2013 A02 Broken Authentication and Session
Management
c. OWASP 2010 A02 became OWASP 2013 A03 Cross-site Scripting (XSS)
d. OWASP A04 Insecure Direct Object Reference was left unchanged
e. OWASP 2010 A06 became OWASP 2013 A05 Security misconfiguration
f. OWASP 2010 A07 and A09 was combined to make A06 Sensitive Data Exposure
g. OWASP 2010 A08 became OWASP 2013 A07 Missing Function Level Access
Control
h. OWASP 2010 A05 became OWASP 2013 A08 Cross site Request Forgery
i. Added new Category A09 Using Components With Known Vulnerabilities
j. OWASP A10 Unvalidated Redirects and Forwards was left unchanged
k. OWASP A05 Misconfiguration was evaluated to see if any mappings should be
removed now that A09 using components With Known Vulnerabilities had been
extracted, None was found.
l. Research of WASC was performed to see if any WASC belonged in New OWASP
A9 None where found
m. Research of CWE was performed to see if any CWE belonged in New OWASP A9
CWE-830 and CWE-829 were evaluated, CWE-830 was rejected as it only
references Insecure components outside of sphere of control, where A9
specifically talks about insecure components within Sphere of control. CWE-829
was included because it lists libraries that contain their own weaknesses.
Page |7
Technical Whitepaper
2013
Mapping
Our research concluded with an updated mapping of taxonomy across OWASP, WASC and CWE. The
findings are reflected below.
OWASP Top 10, 2013
WASC v2
A01 - Injection
CWE/
SANS
Top 25
2011
CWE-472
PHP Injection
WASC-05 Remote File Inclusion
Page |8
CWE-ID
27
21
7
31
CWE-98
CWE-73
CWE-94
CWE-98
CWE-426
CWE-73
CWE-89
CWE-564
CWE-20
CWE-91
CWE-113
CWE-158
CWE-90
CWE-88
CWE-78
CWE-97
CWE-643
CWE-652
CWE-306
CWE-287
CWE-307
CWE-345
CWE-798
CWE-330
CWE-384
CWE-613
10
CWE-807
14
CWE-494
CWE-79
CWE-93
CWE-434
Technical Whitepaper
Reference
A05 - Security
Misconfiguration
2013
Dangerous Type
WASC-01 Insufficient Authentication
WASC-02 Insufficient Authorization
CWE-287
CWE-862
15
13
CWE-863
CWE-22
16
CWE-829
CWE-284
CWE-639
39
11
CWE-219
CWE-200
CWE-754
CWE-16
CWE-16
CWE-548
CWE-250
17
CWE-732
CWE-280
CWE-538
CWE-552
CWE-311
28
WASC-14 Server Misconfiguration
WASC-15 Application Misconfiguration
WASC-16 Directory Indexing
WASC-17 Improper Filesystem
Permissions
19
25
Page |9
CWE-209
CWE-327
CWE-759
CWE-326
CWE-311
CWE-285
CWE-799
CWE-084
CWE-425
12
CWE-352
[NO WASC]
16
CWE-829
22
CWE-601
24
23
CWE-190
CWE-134
Technical Whitepaper
2013
38
27
36
30
34
WASC-26 Request smuggling
WASC-27 Response smuggling
WASC-32 Routing Detour
WASC-40 Insufficient Process
Validation
No OWASP No WASC
P a g e | 10
37
CWE-119
CWE-120
CWE-676
CWE-131
CWE-805 (child
of CWE-119)
CWE-822(child
of CWE-119)
CWE-825
(child of CWE119)
CWE-400
CWE-770
(child of CWE400)
CWE-772
CWE-789
CWE-770
CWE-775
CWE-129
CWE-476
CWE-116
CWE-838
(Child of CWE116)
CWE-212 (Child
of CWE-200)
CWE-444
CWE-436
CWE-300
CWE-441
CWE-691
CWE-841 (Child
of CWE-691)
CWE-227
CWE-611
CWE-205
CWE-612
CWE-640
33
35
CWE-362
CWE-681
41
CWE-456
Technical Whitepaper
2013
Conclusion
Taxonomic information is critical for both perimeter and internal defenses to quickly detect,
manage and control threats to a weak infrastructure. Effective control and management
measures can be implemented only when security issues are promptly and correctly identified.
Modern security ecosystems are heterogeneous based on best of breed from disparate and
incompatible vendors. A consistent cross-taxonomy is going to be the key in realizing active
countermeasures that dynamically integrate these ecosystems.
P a g e | 11
Technical Whitepaper
2013
Glossary
CVE (Common Vulnerability Enumeration) is the leading naming standard for vulnerabilities in
the world using a CVE-id. This nomenclature denotes is the manifestation of a particular
computer weakness on a particular piece of software (or firmware). Other vulnerability naming
systems are maintained by OSVDB (Open Source Vulnerability Database), Security Focus
(bugtraq), Secunia and national CERTs (Computer Emergency Response Teams). Mitre records a
little over 80 new vulnerabilities in an average week. As of 2012, there are more than 50,000
CVE-ids (a CVE-id is made from the current year and a sequential number - i.e.; the first CVE this
year was CVE-2013-0001. Master CVE definitions can be found here http://cve.mitre.org.)
CVEs are assigned severity using the common Vulnerability Scoring System (CVSS). NVD is
scoring CVEs using CVSS and the scores are publicly available here http://nvd.nist.gov.
CWE (Common Weakness Enumeration) is the classification of the types of weaknesses that
causes vulnerabilities. The list is created from input from security researchers all over the world
and maintained by Mitre Corporation. A CWE can be a broad class of weaknesses, a very
specific subgroup of a weakness and it can even be a list of weaknesses grouped together for a
single reference by a CWE-id. Example: the CWE-119 Buffer Overflow is parent for a number
of different specific types of buffer overflow. As of June 2012, there are less than 1000 CWE-ids.
CWE are assigned on a sequential basis as they are defined. It is not possible to conclude that a
certain CWE is more important that another CWE based on the numeric value of the ID alone.
Sometimes a family of related CWE-ids is assigned numbers next to each other and other times
they are not. This is a factor of the CWE-ids being defined at the same time and not as a
numerical grouping.
The NVD (National Vulnerability Database) group within NIST (National Institute of Standards
and Technology) currently is doing a good job of mapping CVE to CWE. The mapping can be
found here http://nvd.nist.gov. Note: NVD is using only a subset of the CWEs in their mapping.
The list can be seen here http://nvd.nist.gov/cwe.cfm.
OWASP Top 10 is a list of web application weaknesses issued every 3 years (2004, 2007, 2010,
2013) made from the consensus of the members of the Open Web Application Security Project
(OWASP). The list is prioritized with OWASP A01 as the most critical weakness and OWASP A10
as the least critical weakness. OWASP relates to the security weaknesses found in webapplications. The OWASP Top 10 2013 can be found here:
https://www.owasp.org/index.php/Top_10_2013-Top_10
Mitre has a mapping between OWASP Top 10 in 2004, 2007 and 2010 to CWE in the CWE
database here:
P a g e | 12
Technical Whitepaper
2013
CWE/Sans Top 25, is a yearly list of the most severe weaknesses as a result of a collaboration
between SANS (SysAdmin, Audit, Networking, and Security), Mitre and top software security
experts in the U.S. and Europe. The list partially replaces the old Sans Top 20 of Vulnerabilities
list that was discontinued after 2007. The most current list is the 2011 edition CWE Sans Top 25
(available here http://cwe.mitre.org/top25/). Due to the nature of the Sans selection process and
the nature of the CWE, some of the entries on the Top 25 list are more specific variants of other
entries. The vote produced 41 prioritized results. The top 25 can be found here:
http://cwe.mitre.org/top25/#Listing with the rest from 26-41 here:
http://cwe.mitre.org/top25/cusp.html
P a g e | 13