Application security vendor Fortify Software Inc. has contributed its classification of software security errors...
to the Open Web Application Security Project (OWASP). The taxonomy, which Fortify calls the "Seven Pernicious Kingdoms," organizes 115 security vulnerability categories into seven top-level sets of security problems. OWASP, which will manage the research, plans to use the classification scheme as part of its Honeycomb Project, an extensive knowledgebase being assembled around application security principles, threats, attacks, vulnerabilities and countermeasures.
Fortify is contributing its data to OWASP to help create awareness by getting programmers to understand what the common coding mistakes are and how they jeopardize software security, as well as to give back to the open source community, from which Fortify gathered much of its research, according to Brian Chess, chief scientist at Palo Alto, Calif.-based Fortify. Chess, along with Katrina Tsipenyuk of the Fortify Security Research Group and Gary McGraw, chief technology officer of Cigital, identified and classified the security-related errors and vulnerabilities. That taxonomy is used in Fortify's software security products.
When Fortify launched in 2003, it was developing a source code analysis tool to identify software security-related coding errors. Fortify researchers used vulnerability reports and analyzed open source projects as part of the company's effort to identify and catalog security issues.
There is often a subtle difference between quality-related and security-related coding errors, Chess said. "Anything that can go wrong with software has the potential to jeopardize security, but some kinds of mistakes jeopardize security more often than others," he said. For example, "there are a lot of ways you can make a mistake in the interaction with the database -- some will enable a SQL injection, and others will just make the application not work. What we needed to do was focus our work. Instead of everything that can go wrong with software, we started with the most important from a security perspective."
Chess said they decided to organize the vulnerability information so that non-security experts could understand what common mistakes can jeopardize software security. The list's top-level categories are as follows:
- Input validation and representation
- API abuse
- Security features
- Time and state
- Code quality
While Fortify will continue to evolve its classification, Chess said, "one reason for donating it is we think it will be enhanced, and others will contribute to it, more quickly than if we were doing it ourselves."
For the OWASP Honeycomb project, Fortify's classification scheme will provide "a major leg up on our efforts," said Jeff Williams, chairman of OWASP. The intention of the project is to assemble a set of building blocks for software security.
"People are always talking about threats, attacks, vulnerabilities, countermeasures -- there are lots of sources of information, but there's no comprehensive list," Williams said. "We have all these slices of the problem, but no one has taken the bull by horns and gotten all basic building blocks down to focus on the higher-level issues. OWASP is trying to build a solid foundation for application security work, and we think we're the right place to do it."
The Honeycomb project will primarily be a knowledgebase, Williams said. "For each topic, for each attack like a SQL injection, we're going to describe what is, what vulnerabilities and threats are related to, what countermeasure works, and then link that together in a way that hasn't been attempted before. We're not sure all the ways that information will be used. We just know there's a big vacuum. How can you do threat modeling, for example, without a decent knowledgebase?"
OWASP is also working on a project to develop a report-generating tool, which likely will also benefit from the Fortify classification and the Honeycomb knowledgebase.
"OWASP is coming up with a tool to help take generic vulnerability descriptions and build them into a useful report that companies can use to build better applications," Williams said. "The tool would lean on the generic vulnerability write-ups in the knowledge base."
According to Williams, there has been an "interesting market evolution" in the application security space over the past few years.
"When we put out the [OWASP] top 10, a lot of product vendors came out with press releases that said 'our product solves the OWASP top 10.' That didn't go over with the community because they don't solve the top 10 and you can't, so there was some friction there. [The product vendors] have gotten better at knowing they need to be realistic about what their products do and don't do. It's important to view application security tools and products as one part of a balanced breakfast -- you need training, teams, the whole package. You can't just do it with technology."
Fortify's contribution, Williams said, "is a great model for consulting companies and product companies in this space to work together and share research. It's great for everyone."