I currently lead the WASC Threat Classification Project and we're expecting to publish our latest version next month. One of the biggest changes between the TCv2 and TCv1 is that we're doing away with single ways to represent the data. In the TCv1 we had a single tree structure to convey appsec concepts. After months of debate we discovered and agreed that this was a limiting factor for how the Threat Classification document could be used. We decided to create core indexes representing the attacks and weaknesses, and to plug in views representing those attacks and weaknesses to allow for conveying numerous concepts.

Typically I don't post links to material until it is completed, however in this case I wanted to get the communities feedback for a particular view concept. The rough idea of this view is it outline where in the development lifecycle a vulnerability may be introduced, wasn't factored in for mitigation, or could/should be fixed.

Comments welcome either on this site, or on the WASC wiki page below.

Note: This page is alpha so please send in your suggestions. Upon completion of the TC this page will result in a 404.

Link: http://projects.webappsec.org/TC-Cause-View-Alpha