One of the conclusions from the August ’05 workshop “Defining the State
of the Art in Software Security Tools” (https://samate.nist.gov/softSecToolsSOA)
was the need for a reference taxonomy of software flaws and vulnerabilities. To
further this goal, the NIST SAMATE team developed a harmonization scenario extending
ideas in the Tsipenyuk/Chess/McGraw paper Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors.
This scenario was created from the following publicly available taxonomies:
- The Kingdoms - Katrina Tsipenyuk, Brian Chess, Gary McGraw - November 2005 - IEEE/ACM Conference, Long Beach, CA -
- CLASP - Comprehensive, Lightweight Application Security Process - Pravir Chandra, John Viega et al. - OWASP
- “19 Deadly Sins of Software Security”, M. Howard, D. LeBlanc, and J. Viega, McGraw-Hill Osborne Media, July 2005.
- OWASP Top Ten Most Critical Web Application Security Vulnerabilities
- PLOVER - Preliminary List Of Vulnerability Examples for Researchers - Steve Christey - CVE MITRE
The scenario is unavailable at this time. You can contact us for further information.
Construction details may be found below. This working document was developed by the NIST SAMATE team from publicly available
sources without consultation with any of the taxonomy authors. The goal is to stimulate discussion.
Please join the samate@yahoogroups.com email group to comment.
Notes on the Construction of the Harmonization Scenario :
- At the topmost level are the Kingdoms. The sublevels under that are a collection of categories from each of
the five taxonomies. This enables commonalities/differences to be visible. That
each of the five has a category for buffer overflow, and that the buffer
overflow category for each is located under Input Validation and Representation
is an example of commonality. That the CLASP category of Uninitialized variable
appears under Errors and Kingdoms’ category of Uninitialized variable appears
under Code Quality is an example of difference.
- Suffixes on the category names indicate from which taxonomy the name comes, and at which step (see next note) in
the construction process the category appeared.
- Suffixes of the form “--f-c” indicate step (a).
- Suffixes of the form “--<taxonomy name>--f-c” indicate step (b).
- Suffixes of the form “--plover” indicate step (c).
- The following describes the process of scenario construction:
- The five topmost levels of the
CLASP taxonomy match reasonably well with five of the eight Kingdoms. Thus,
Kingdoms’ topmost levels were chosen as the scenario’s topmost level, and
sublevels of CLASP taxonomy were merged under corresponding topmost levels of
the Kingdoms taxonomy as follows:
Kingdoms
|
|
CLASP
|
Environment
|
<------
|
Environmental problems
|
Errors
|
<------
|
General logic errors
|
Security Features
|
<------
|
Protocol errors
|
Input Validation and Representation
|
<------
|
Range and type errors
|
Time and State errors
|
<------
|
Synchronization and timing errors
|
- As described in the Tsipenyuk/Chess/McGraw paper, elements of the lists from the “19 Deadly Sins of Software Security” and OWASP top ten were added.
- The PLOVER WIFF (Weaknesses, Idiosyncrasies, Faults, Flaws) categories were added under the topmost levels of Kingdoms.
- The scenario was constructed using the ontology development tool Protégé (http://protege.stanford.edu).
This choice was made because Protégé was convenient and because a taxonomy is an elementary ontology. We recognize that XML tools may be more appropriate and
that a schema for representing the reference taxonomy may need to be developed.
|