1

As continuing research in Secure Software Development, I found the OWASP Top 10 project list Technical Impact such as:

https://www.owasp.org/index.php/Top_10_2010-A1

Similarly, CAPEC list impact in terms of CIA: http://capec.mitre.org/data/definitions/66.html

For further details on technical impacts of various threats, are there any resources which offer detailed analysis including possible case studies?

AviD
  • 72,138
  • 22
  • 136
  • 218
Epoch Win
  • 922
  • 2
  • 7
  • 14

1 Answers1

1

This question is too broad, as the answer is going to depend upon the particular vulnerability/attack. Pretty much any description of a vulnerability or attack will describe its potential impact (= technical impact, in the OWASP terminology). So, if there's a particular vulnerability you want to know about, you should be able to go read any primer on that vulnerability and find out more about the (technical) impact of the vulnerability.

For instance, buffer overflow vulnerabilities allow code injection, so allow the attacker to inject malicious code into the vulnerable program and execute it with all of the program's privileges. SQL injection vulnerabilities allow the attacker to execute arbitrary SQL queries (and thus read or write to the database) and possibly -- depending upon how the database is configured -- execute malicious code with all of the database program's privileges. And so on.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • What would be a good framework to describe Technical Impact? Would the effect of a hack on CIA be a good starting point? – Epoch Win Mar 05 '12 at 20:19
  • 2
    CIA is fine, but look, you don't need a framework. You can just describe the impact. I think it's easy to get overly hung up on frameworks and taxonomies and stuff like that. – D.W. Mar 05 '12 at 20:35
  • Definitely would not want to get too deep into a taxonomy but I guess what I'm getting at is means by which I describe threats to different stakeholders. CIA might work with security and risk professionals but to a developer you want to emphasize the severity in a different way so that's why I asked for different resources which give different perspectives on the same threat / vulnerability. – Epoch Win Mar 06 '12 at 16:02
  • @EpochWin, that's a different topic. I suggest you open a separate question for that. Some thoughts: (1) a taxonomy/framework is not going to help you communicate to developers; to communicate to developers, focus on, well, communicating. (2) Try this slogan from Bill Joy: [software isn't complete until it is secure](http://www.businessweek.com/technology/content/sep2006/tc20060926_175459.htm). (3) Take a look at [integrating security into the software development lifecycle](http://security.stackexchange.com/q/624/971) (also [this](http://security.stackexchange.com/q/9007/971)). – D.W. Mar 06 '12 at 20:05