The common problem with most of the popular web application security vulnerability classifications (OWASP Top 10, WASC, CWE, Seven Pernicious Kingdoms) is that they really mix and match threats and vulnerabilities. (In defense of WASC, it is mostly threats, and is indeed called a "Threat Classification").
When I discuss this, I need to let you know how I'm defining things - this is according to ISC2:
- A vulnerability is an absence of weakness of a risk-reducing safeguard.
- A threat is an event that could have an undesirable impact on the well-being of an asset.
There are a couple of problems with mixing and matching:
- It makes the report inconsistent. When we classify all of them as "vulnerabilities", then a single issue really falls into multiple categories in all of the systems. A single successful SQL Injection in most taxonomies would be classified as a "lack of input validation", "lack of data representation", and "SQL Injection". Seven Pernicious Kingdoms gets closer, because the kingdoms are (generally) vulnerabilities, and the philum are (generally) threats.
- Documenting threats at the expense of documenting vulnerabilities leaves the developer with no option than to "fix what's exploitable". Yes, those should be the top priority, but if a developer is only trained to remove Cross-site Scripting vulnerabilities, they don't really learn the other values of proper data handling.
Does this mean that I'm saying we should get rid of pen testers? No way! Pen testers make the screen shots that end up funding the fixes. But documenting to developers how to write good code is definitely a good thing.