WASC Threat Classification v2.0 released

 

On the first of the year The Web Application Security Consortium (WASC) released the second version of its Threat Classification Project.  While the WASC is not as well known as OWASP, it has a lot to contribute to the web application security space.

This particular project is a compendium of threats to web application security, separated into attacks and the weaknesses those attacks take advantage of.  Each attack or weakness is described and followed by examples of attack scenarios, including code samples (C, C++, C#, PHP, and SQL) as well as a large number of references to other examples, explanations or news stories about the particular threat.

The document is an easy read (available in PDF or in a wiki-style format) and contains a lot of information and reference material.  The explanations for each threat are clear and concise and provide a great introduction to web application security for both security professionals and application developers.

Additionally, the project offers different views of the data, a nice one being the “Development Phase View” which shows where in a development life-cycle (design, implementation or deployment) the vulnerability may be introduced.

Overall the document is very well done, with a lot of clear explanations and examples, and a lot of links to references where more information can be found.  Mitigation of the threats are not discussed in most instances, but according to the project’s FAQit is currently up for discussion.  Still, this is really required reading for web developers, auditors or security professionals dealing with web applications.

Jeremiah Grossman from WhiteHat Security (and also the project lead for version 1 of the Threat Classification) has also posted a nice chart with mappings from the WASC Threat Classification to the OWASP Top Ten 2010 RC1.

Blog post by:  Dave Shpritz

Leave a Reply