Secure Coding mailing list archives

A New Open Source Approach to Weakness

From: mcgegick at ncsu.edu (mcgegick at ncsu.edu)
Date: Thu, 10 Aug 2006 19:06:19 -0400 (EDT)

The Honeycomb project seems interesting.  This sounds a lot like the
Common Weakness Enumeration (CWE ? see http://cwe.mitre.org) effort that
has been going on for the past year as part of the DHS software assurance
metrics and tool evaluation project.  The CWE is an aggregation of sources
including Seven Pernicious Kingdoms, CLASP, PLOVER, ten from OWASP, the
Web Security Threat Classification, 19 Deadly Sins, etc. that describes
software weaknesses (to date ~500 of them) in a consistently named fashion
and provides a taxonomy to organize the relationships between the
weaknesses.  The classification comes with the help of a large community
effort including NIST, MITRE, DHS, NSA, many commercial organizations,
academia, and the public.  And, I believe there are currently 15-20 tool
vendors, including Fortify Software and Secure Software, that are
contributing and mapping their content to the CWE.

Thanks,

Michael Gegick

Current thread:

A New Open Source Approach to Weakness Kenneth Van Wyk (Aug 09)
- A New Open Source Approach to Weakness Gergely Buday (Aug 09)
  - A New Open Source Approach to Weakness Jeff Williams (Aug 09)
- <Possible follow-ups>
- A New Open Source Approach to Weakness Gary McGraw (Aug 09)
- A New Open Source Approach to Weakness mcgegick at ncsu.edu (Aug 10)
  - A New Open Source Approach to Weakness Jeff Williams (Aug 10)