Secure Coding mailing list archives
A New Open Source Approach to Weakness
From: jeff.williams at aspectsecurity.com (Jeff Williams)
Date: Thu, 10 Aug 2006 22:56:05 -0400
We're familiar with the CWE project and there's a lot of overlap between our vulnerabilities - not surprising given that most came from the same sources. Where possible we're trying to keep the same names. We've found that some of the topics are really attacks, and have organized them accordingly. One of the really great things that CWE has done is providing links to actual CVE entries demonstrating each of the vulnerabilities. We started Honeycomb to: - create a complete library of application security building-blocks, including principles, threats, attacks, vulnerabilities, and countermeasures - enable the rich interconnection of those building-blocks in ways that a strict one-dimensional taxonomy cannot allow - encourage security experts in the community to share their knowledge, argue, edit, discuss, and resolve in wisdom of crowds fashion --Jeff -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of mcgegick at ncsu.edu Sent: Thursday, August 10, 2006 7:06 PM To: sc-l at securecoding.org Subject: [***SPAM (header)***] - Re: [SC-L] A New Open Source Approach to Weakness - Email found in subject The Honeycomb project seems interesting. This sounds a lot like the Common Weakness Enumeration (CWE - see http://cwe.mitre.org) effort that has been going on for the past year as part of the DHS software assurance metrics and tool evaluation project. The CWE is an aggregation of sources including Seven Pernicious Kingdoms, CLASP, PLOVER, ten from OWASP, the Web Security Threat Classification, 19 Deadly Sins, etc. that describes software weaknesses (to date ~500 of them) in a consistently named fashion and provides a taxonomy to organize the relationships between the weaknesses. The classification comes with the help of a large community effort including NIST, MITRE, DHS, NSA, many commercial organizations, academia, and the public. And, I believe there are currently 15-20 tool vendors, including Fortify Software and Secure Software, that are contributing and mapping their content to the CWE. Thanks, Michael Gegick _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Current thread:
- A New Open Source Approach to Weakness Kenneth Van Wyk (Aug 09)
- A New Open Source Approach to Weakness Gergely Buday (Aug 09)
- A New Open Source Approach to Weakness Jeff Williams (Aug 09)
- <Possible follow-ups>
- A New Open Source Approach to Weakness Gary McGraw (Aug 09)
- A New Open Source Approach to Weakness mcgegick at ncsu.edu (Aug 10)
- A New Open Source Approach to Weakness Jeff Williams (Aug 10)
- A New Open Source Approach to Weakness Gergely Buday (Aug 09)