A New Open Source Approach to Weakness


More than 270 years ago, Carolus Linnaeus in his book Systema Naturae, attempted
to categorize all biology on the Earth into a series of kingdoms. Web application security vendor Fortify thinks that the same kingdom
approach can be taken to classify Web vulnerabilities.

The approach is one
that Fortify is now donating to the non-profit Open Web Application Security
Project (OWASP), and it might just help to take the study of vulnerabilities
out of the Dark Ages.


Fortify has named its classification system the “Seven Pernicious Kingdoms,”
and categorizes common Web application vulnerabilities in
modern software.

The seven top-level kingdoms include: Input Validation and
Representation, API Abuse, Security Features, Time and State, Errors, Code
Quality and Encapsulation.


The organization of the classification scheme takes a page from biology class. It refers to vulnerability categories as phyla, while collections of vulnerability categories that share the same
theme are referred to as kingdoms.


“The vulnerabilities will be integrated into our reference materials where
everyone can use them for free. Some obvious uses of this information are
for threat modeling, secure coding, and vulnerability management,” Jeff
Williams, chair of The OWASP Foundation, told internetnews.com.

“We’re also integrating the information into OWASP’s report generator tool, which helps application security analysts write up findings clearly and
completely.”


“I’m sure we haven’t thought of all the ways this information will be used,”
Williams continued. “But we’re sure that without it application security
will remain in the Dark Ages.”


Williams explained that like all information from OWASP, the vulnerabilities
will be available under the Creative Commons license and will evolve daily.

Fortify’s originally began its work in 2003 as part of efforts
to collect vulnerability categories for Fortify’s source code analysis
application.


“In order to detect vulnerabilities in source code, you have to know what to
look for,” Brian Chess, chief scientist at Fortify, told
internetnews.com.


According to OWASP’s Williams, many application security vulnerabilities
are not obvious, even to an excellent developer.

He argued that most
developers simply don’t think about all the possible ways that someone might
try to break an application.

As an example, Williams noted that it would be
rare for a developer to come up with “SQL injection” or “integer overflow”
vulnerabilities on their own.


“As a security community we are doing a terrible job of getting
vulnerabilities out of software once and for all,” Williams stated.

“For
example, we’ve lived with buffer overflows for 30 years and we’re going to
live with them for 30 more if we don’t do something about it.”


“The world needs a basic set of application security reference materials –- OWASP is building it and Fortify has helped us immensely.”


By using the “Kingdom” approach, pioneered by Carolus Linnaeus nearly three
centuries ago, Chess hopes that Fortify (and now by extension OWASP) can
find similar success to classifying a difficult topic.


“You can’t tell a developer to go away and memorize a flat list of more than
one hundred things. The information has to be structured in some way that
non-experts can approach it and benefit from it,” Chess said.

“When it
comes to structuring a large, complex, and ever-changing body of scientific
data, there has been no greater success than the way biologists group and
categorize living things.


“We were inspired by their success.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web