8

All,

First question on here so please be as gentle as you can :-)

I've been looking around for any writings or papers on a standard for classifying vulnerabilities. Not from a severity/risk/impact point of view but categorising such as grouping all the 'missing patches', 'weak authentication management', egress/ingress rules for networks and alike. Now I know that plenty of people have done this work already, myself included. What I am interested to know is if anyone has done something on a more formal/standard footing?

Long question, all responses warmly welcomed.

AviD
  • 73,317
  • 24
  • 140
  • 221
IC3N1
  • 83
  • 3

2 Answers2

6

MITRE has a few systems for this. CVE for things that need patching; CWE for bugs that need to be avoided/fixed, CAPEC describing attacks to your infrastructure; CCE for configuration needs; CPE for a proper naming scheme; and CEE for event exchange information.

http://makingsecuritymeasurable.mitre.org

You'll find links to other resources that work along with MITRE's standards or are similar in nature to them.

atdre
  • 19,072
  • 6
  • 61
  • 108
  • Yup, I was going to point to MITRE, though it seems that CWE is more what the OP was looking for... – AviD Jun 09 '11 at 14:12
  • Just as a follow up - MITRE looks like it is my friend. Many thanks. – IC3N1 Jun 14 '11 at 08:36
  • 1
    There has been a lot of great work on this in the past 7 years. This list from MISP/circl is a great place to start: https://www.circl.lu/doc/misp-taxonomies/ – turtlemonvh Apr 03 '18 at 22:08
2

The OWASP top ten categorisation is exactly this kind of thing. Admittedly, they have chosen to dramatically shrink scope to just the top ten attack types.

Rory Alsop
  • 61,507
  • 12
  • 118
  • 322
  • OWASP Top 10 is good for those that it includes, and OWASP has a larger library of common vulnerabilities (though I guess not as formalized as MITRE's), mostly donated by Fortify and Aspect (so take them with certain amount of sodium chloride...) – AviD Jun 09 '11 at 14:13
  • Rory, thanks for the answer. Although the OWASP list gives good coverage of the common vulnerabilities it is by it's very nature web centric. For my needs I wanted a broader set of categories and I think MITRE's work looks closer to my needs. – IC3N1 Jun 14 '11 at 08:35