RealTime IT News

A New Open Source Approach to Weakness

More than 270 years ago, Carolus Linnaeus in his book Systema Naturae, attempted to categorize all biology on the Earth into a series of kingdoms. Web application security vendor Fortify thinks that the same kingdom approach can be taken to classify Web vulnerabilities.

The approach is one that Fortify is now donating to the non-profit Open Web Application Security Project (OWASP), and it might just help to take the study of vulnerabilities out of the Dark Ages.

Fortify has named its classification system the "Seven Pernicious Kingdoms," and categorizes common Web application vulnerabilities in modern software.

The seven top-level kingdoms include: Input Validation and Representation, API Abuse, Security Features, Time and State, Errors, Code Quality and Encapsulation.

The organization of the classification scheme takes a page from biology class. It refers to vulnerability categories as phyla, while collections of vulnerability categories that share the same theme are referred to as kingdoms.

"The vulnerabilities will be integrated into our reference materials where everyone can use them for free. Some obvious uses of this information are for threat modeling, secure coding, and vulnerability management," Jeff Williams, chair of The OWASP Foundation, told internetnews.com.

"We're also integrating the information into OWASP's report generator tool, which helps application security analysts write up findings clearly and completely."

"I'm sure we haven't thought of all the ways this information will be used," Williams continued. "But we're sure that without it application security will remain in the Dark Ages."

Williams explained that like all information from OWASP, the vulnerabilities will be available under the Creative Commons license and will evolve daily.

Fortify's originally began its work in 2003 as part of efforts to collect vulnerability categories for Fortify's source code analysis application.

"In order to detect vulnerabilities in source code, you have to know what to look for," Brian Chess, chief scientist at Fortify, told internetnews.com.

According to OWASP's Williams, many application security vulnerabilities are not obvious, even to an excellent developer.

He argued that most developers simply don't think about all the possible ways that someone might try to break an application.

As an example, Williams noted that it would be rare for a developer to come up with "SQL injection" or "integer overflow" vulnerabilities on their own.

"As a security community we are doing a terrible job of getting vulnerabilities out of software once and for all," Williams stated.

"For example, we've lived with buffer overflows for 30 years and we're going to live with them for 30 more if we don't do something about it."

"The world needs a basic set of application security reference materials –- OWASP is building it and Fortify has helped us immensely."

By using the "Kingdom" approach, pioneered by Carolus Linnaeus nearly three centuries ago, Chess hopes that Fortify (and now by extension OWASP) can find similar success to classifying a difficult topic.

"You can't tell a developer to go away and memorize a flat list of more than one hundred things. The information has to be structured in some way that non-experts can approach it and benefit from it," Chess said.

"When it comes to structuring a large, complex, and ever-changing body of scientific data, there has been no greater success than the way biologists group and categorize living things.

"We were inspired by their success."