The Web Application Security Consortium’s Web Security Threat Classification guide has eight vulnerabilities. Aaron Higbee decided to bait me with a link to the guide. The document’s use of the word “threat” in the title might be problematic, as I doubted it would be a classification of the parties with the capabilities and intentions to exploit vulnerabilities in assets. But I was pleasantly surprised to see most of the content correctly framed as “attacks” Other content was not labelled correctly, and I suggest an alternative way of looking at these issues. I’ve angered more security professionals by debating their classification program.”]
Source: https://taosecurity.blogspot.com/2005/07/thoughts-on-web-application-security.html