David A. Wheeler's Blog

Thu, 04 Oct 2007

Software Assurance 2007

Lots of interesting things are happening with the various efforts to eliminate or counter software vulnerabilities. The Software Security Assurance (SwA) State-of-the-Art Report (SOAR) tries to list what’s going on, especially in things related to the U.S. government. As with any such document, it’s incomplete, and it’s only a snapshot (things keep changing!). But if you haven’t been following this world, and want to know “what’s going on”, it’s the best place I know of to start. Of course, you can also look at sites such as the U.S. DHS / CERT “build security in” site.

The U.S. National Vulnerability Database tracks specific vulnerabilities in specific products; they identify each vulnerability using the unique id defined by Common Vulnerabilities and Exposures (CVE). But if the world is going to prevent these kinds of vulnerabilities from happening in the future, we need to categorize them in a way that everyone agrees what the categories are. Informally, there are lots of ways to categorize them, but their meanings differ between people. That’s a real problem when comparing tools; different tools find different problems, but without agreed-on terminology, it’s hard to even describe their differences. MITRE is currently developing a way to categorize all vulnerabilities in a way that everyone can agree on, called Common Weakness Enumeration (CWE). The U.S. National Vulnerability Database and MITRE have worked out a set of CWEs that they will use to categorize vulnerabilities. The CWE is still being developed, but at least some common terminology is getting worked out.

path: /security | Current Weblog | permanent link to this entry