Help me fill out a list of flaw types
David
nezsez2 at gmail.com
Tue Aug 13 17:10:28 UTC 2013
Ok I've read your existing list.
you might consider a section for system configuration errors (ex. LDAP
auth being passed in clear to an AD server that doesn't support
starttls/ssl when not using GSSAPI or having SSH 1 available, etc)
seeding errors for rand yielding predictable results
improper handling of errno values resulting in lock/race/buffer probs
On 08/12/2013 02:20 PM, Josh Bressers wrote:
>> Did you have a particular use-case in mind for your list? Will you be
>> accessing this list programmatically or just for human consumption?
>> Perhaps a schema/classification skeleton we could start with? Do you
>> want a list of specific exploits/vulnerabilities (so you might start
>> with local and remote for example then drill down with stack exploits,
>> cross site injections etc) or just a list of the monikers of actual
>> exploits like "sasser", or something more like "social engineering",
>> "network", "program code"..."input validation", etc?
>>
> Basically it's just a list for me. I'm putting together a nice list of
> possible topics for a variety of reasons. I figured it would be nice to get
> input from others, and obvious make such a list public for anyone who
> wanted something similar.
>
> It's a pretty open request, so I'd say anything goes. If you have some
> ideas, jot them down.
>
> Thanks.
>
More information about the security
mailing list