March 1, 2007 9:00 AM PST

Dictionary for software bugs to cut confusion?

ARLINGTON, Va.--A U.S. Department of Homeland Security-sponsored plan designed to create a standard dictionary for security bugs is taking shape, its backers said Thursday.

The effort, called Common Weakness Enumeration, aims to create a formal list of software weaknesses such as buffer overflows and format string errors. The list is to serve as a common language for describing software vulnerabilities, replacing the varied terms that many technology companies and security vendors use today.

"Without a common, high-fidelity description of these weaknesses, efforts to address vulnerabilities will be piecemeal at best."
--Steve Christey,
engineer, Mitre

"Without a common, high-fidelity description of these weaknesses, efforts to address vulnerabilities will be piecemeal at best, only solving part of the problem," Steve Christey, a principal information security engineer at Mitre, said in a presentation at the Black Hat DC Briefings & Training event here. Mitre, a nonprofit organization, oversees the CWE initiative.

Through the dictionary, Mitre hopes to provide a common standard for identifying, mitigating and preventing software bugs. The CWE can also function as a security measuring stick for people buying software, in particular security tools that aim to prevent or detect specific security problems, according to Mitre.

"This does give buyers one more tool for communicating with vendors what their expectations are," Christey said. Also, CWE can help software developers better understand what to avoid when building applications, he said.

To underscore the necessity of CWE, Christey said coverage of early definitions by source code-checking tools is very slim.

"Half of (the definitions in) CWE were not covered by any tool at all, and 29 percent was covered by a single tool," he said. These are tools such as those sold by Fortify Software, Coverity and Klocwork that vet computer code for bugs.

Some of the source code security companies, such as Cigital, have already committed to using CWE, according to Mitre. Others will likely follow, Christey said.

"We hope that CWE will show up in products," he said.

Mitre has been working on CWE for the past year and a half. People working on the project are pulling together data from multiple sources, including security tool makers, and unifying it. This is proving to be an arduous task. One list alone already contains 300 bug categories.

"We are currently at draft 5. We have (everything but the) kitchen sink today, but in a good way," said Sean Barnum, a managing consultant at Cigital who has been helping Mitre.

The dictionary's fifth draft was published December 15. The sixth draft is expected to have merged data regarding weaknesses from 16 tool and knowledge sources participating in the CWE initiative.

CWE is nearly ready for widespread use, Christey said. A final draft is slated to be released in the coming months.

See more CNET content tagged:
Mitre Corp., Cigital, initiative, security tool, weakness

8 comments

Join the conversation!
Add your comment
nice but i have a question
i have a website in deutsch language: <a class="jive-link-external" href="http://www.artikelpedia.com" target="_newWindow">http://www.artikelpedia.com</a> and i want to add the ability to be trabslated in english. I have some pages in english: <a class="jive-link-external" href="http://www.artikelpedia.com/artikel/englisch/5/englisch3.php" target="_newWindow">http://www.artikelpedia.com/artikel/englisch/5/englisch3.php</a>
deutsch: <a class="jive-link-external" href="http://www.artikelpedia.com/artikel/deutsch/7/deutsch3.php" target="_newWindow">http://www.artikelpedia.com/artikel/deutsch/7/deutsch3.php</a> italian, french, <a class="jive-link-external" href="http://www.artikelpedia.com/artikel/geographie/7/geographie3.php" target="_newWindow">http://www.artikelpedia.com/artikel/geographie/7/geographie3.php</a> and other : <a class="jive-link-external" href="http://www.artikelpedia.com/artikel/biographien/4/biographien10.php" target="_newWindow">http://www.artikelpedia.com/artikel/biographien/4/biographien10.php</a> and i want to add that ability to all, Please help if you can.

Thanks for suggestions
Posted by artikelpedia12 (3 comments )
Reply Link Flag
nice but i have a question
i have a website in deutsch language: <a class="jive-link-external" href="http://www.artikelpedia.com" target="_newWindow">http://www.artikelpedia.com</a> and i want to add the ability to be trabslated in english. I have some pages in english: <a class="jive-link-external" href="http://www.artikelpedia.com/artikel/englisch/5/englisch3.php" target="_newWindow">http://www.artikelpedia.com/artikel/englisch/5/englisch3.php</a>
deutsch: <a class="jive-link-external" href="http://www.artikelpedia.com/artikel/deutsch/7/deutsch3.php" target="_newWindow">http://www.artikelpedia.com/artikel/deutsch/7/deutsch3.php</a> italian, french, <a class="jive-link-external" href="http://www.artikelpedia.com/artikel/geographie/7/geographie3.php" target="_newWindow">http://www.artikelpedia.com/artikel/geographie/7/geographie3.php</a> and other : <a class="jive-link-external" href="http://www.artikelpedia.com/artikel/biographien/4/biographien10.php" target="_newWindow">http://www.artikelpedia.com/artikel/biographien/4/biographien10.php</a> and i want to add that ability to all, Please help if you can.

Thanks for suggestions
Posted by artikelpedia12 (3 comments )
Reply Link Flag
Bug lexicon?
Great. Homer Simpson's of the world unite. The idea of naming bugs is interesting I suppose, at least from an etymological standpoint, but completely misses the point. With all our "big box branded consultants" from Cisco, IBM, ISS et all, whose accolytes view the world through a heavily product-focused lense, all they can do is trouble-shoot specific problems. Today, there is a dearth of hard-core network geeks who can sort through ports, protocols and sniffer data and figure out what the hell is going on. This simple skill can easily identify rouge activity, viruses, bots and all sorts of threats...without spending bazillions of dollars on Brand X's new all-in-one appliance. But then again, it's always the simple stuff that topples the giants. So, shhhhhhhhh. Don't let the dullards know what's going on.
Posted by Schratboy (122 comments )
Reply Link Flag
Don't you mean rogue activity?
I doubt rouge figures in to the discussion.
Posted by PzkwVIb (462 comments )
Link Flag
Bug lexicon?
Great. Homer Simpson's of the world unite. The idea of naming bugs is interesting I suppose, at least from an etymological standpoint, but completely misses the point. With all our "big box branded consultants" from Cisco, IBM, ISS et all, whose accolytes view the world through a heavily product-focused lense, all they can do is trouble-shoot specific problems. Today, there is a dearth of hard-core network geeks who can sort through ports, protocols and sniffer data and figure out what the hell is going on. This simple skill can easily identify rouge activity, viruses, bots and all sorts of threats...without spending bazillions of dollars on Brand X's new all-in-one appliance. But then again, it's always the simple stuff that topples the giants. So, shhhhhhhhh. Don't let the dullards know what's going on.
Posted by Schratboy (122 comments )
Reply Link Flag
Don't you mean rogue activity?
I doubt rouge figures in to the discussion.
Posted by PzkwVIb (462 comments )
Link Flag
my website is in romanian language:
http://www.medicultau.com/boli-si-tratamente/homeopatie/index.php

and i'm wonder if some pages like this one:
http://www.medicultau.com/notiuni-de-chirurgie-laparoscopica/tehnici-de-baza-in-chirurgia-laparoscopica/index.php
can be automattically translate in other languages.

And if yes with what script?

Many thanks.
Medicultau
Posted by medicultau (2 comments )
Reply Link Flag
my website is in romanian language:
&lt;a href="http://www.medicultau.com/boli-si-tratamente/homeopatie/index.php "&gt;http://www.medicultau.com/boli-si-tratamente/homeopatie/index.php&lt;/a&gt;

and i'm wonder if some pages like this one:
&lt;a href="http://www.medicultau.com/notiuni-de-chirurgie-laparoscopica/tehnici-de-baza-in-chirurgia-laparoscopica/index.php "&gt;chirurgie-laparoscopica&lt;/a&gt;
can be automattically translate in other languages.

And if yes with what script?

Many thanks.
Medicultau
Posted by medicultau (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.