Lecture 28 Outline

Reading: § 24
Due: Lab 4, due on June 6, 2018 at 11:59pm; Homework 5, due on June 7, 2018 at 11:59pm


  1. Vulnerability models
    1. PA model
    2. RISOS
    3. NRL
    4. Aslam
  2. Some common vulnerabilities
    1. Catalogues: CVE (Common Vulnerabilities and Exposures), CWE (Common Weakness Enumeration)
    2. 2011 MITRE/SANS Top 25 Most Dangerous Software Errors
    3. OWASP Top 10 – 2017 The Ten Most Critical Web Application Security Risks
  3. MITRE/SANS list
    1. Insecure interactions among components (injection is first here)
    2. Risky resource management
    3. Porous defenses
  4. OWASP list
    1. Injection
    2. Broken authentication and session management
    3. Sensitive data exposure
    4. XML external entities
    5. Broken access cointrol
    6. Security misconfiguration
    7. Cross-site scripting
    8. Insecure deserialization
    9. Using components with known vulnerabilities
    10. Insufficient logging and monitoring
  5. Comparison
    1. Everything on the OWASP list is also on the MITRE/SANS list
    2. Injection is #1 on both lists
    3. The MITRE/SANS list covers vulnerabilities generally; OWASP covers only web vulnerabilities


UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: [email protected]
ECS 153, Computer Security
Version of June 5, 2018 at 9:08PM

You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh