Dictionary for software bugs to cut confusion?

ARLINGTON, Va.--A U.S. Department of Homeland Security-sponsored plan designed to create a standard dictionary for security bugs is taking shape, its backers said Thursday.

The effort, called Common Weakness Enumeration, aims to create a formal list of software weaknesses such as buffer overflows and format string errors. The list is to serve as a common language for describing software vulnerabilities, replacing the varied terms that many technology companies and security vendors use today.

"Without a common, high-fidelity description of these weaknesses, efforts to address vulnerabilities will be piecemeal at best."

--Steve Christey,
engineer, Mitre

"Without a common, high-fidelity description of these weaknesses, efforts to address vulnerabilities will be piecemeal at best, only solving part of the problem," Steve Christey, a principal information security engineer at Mitre, said in a presentation at the Black Hat DC Briefings & Training event here. Mitre, a nonprofit organization, oversees the CWE initiative.

Through the dictionary, Mitre hopes to provide a common standard for identifying, mitigating and preventing software bugs. The CWE can also function as a security measuring stick for people buying software, in particular security tools that aim to prevent or detect specific security problems, according to Mitre.

"This does give buyers one more tool for communicating with vendors what their expectations are," Christey said. Also, CWE can help software developers better understand what to avoid when building applications, he said.

To underscore the necessity of CWE, Christey said coverage of early definitions by source code-checking tools is very slim.

"Half of (the definitions in) CWE were not covered by any tool at all, and 29 percent was covered by a single tool," he said. These are tools such as those sold by Fortify Software, Coverity and Klocwork that vet computer code for bugs.

Some of the source code security companies, such as Cigital, have already committed to using CWE, according to Mitre. Others will likely follow, Christey said.

"We hope that CWE will show up in products," he said.

Mitre has been working on CWE for the past year and a half. People working on the project are pulling together data from multiple sources, including security tool makers, and unifying it. This is proving to be an arduous task. One list alone already contains 300 bug categories.

"We are currently at draft 5. We have (everything but the) kitchen sink today, but in a good way," said Sean Barnum, a managing consultant at Cigital who has been helping Mitre.

The dictionary's fifth draft was published December 15. The sixth draft is expected to have merged data regarding weaknesses from 16 tool and knowledge sources participating in the CWE initiative.

CWE is nearly ready for widespread use, Christey said. A final draft is slated to be released in the coming months.

[artikelpedia12]

nice but i have a question

i have a website in deutsch language: http://www.artikelpedia.com and i want to add the ability to be trabslated in english. I have some pages in english: http://www.artikelpedia.com/artikel/englisch/5/englisch3.php
deutsch: http://www.artikelpedia.com/artikel/deutsch/7/deutsch3.php italian, french, http://www.artikelpedia.com/artikel/geographie/7/geographie3.php and other : http://www.artikelpedia.com/artikel/biographien/4/biographien10.php and i want to add that ability to all, Please help if you can.

Thanks for suggestions

[artikelpedia12]

nice but i have a question

i have a website in deutsch language: http://www.artikelpedia.com and i want to add the ability to be trabslated in english. I have some pages in english: http://www.artikelpedia.com/artikel/englisch/5/englisch3.php
deutsch: http://www.artikelpedia.com/artikel/deutsch/7/deutsch3.php italian, french, http://www.artikelpedia.com/artikel/geographie/7/geographie3.php and other : http://www.artikelpedia.com/artikel/biographien/4/biographien10.php and i want to add that ability to all, Please help if you can.

Thanks for suggestions

[Schratboy]

Bug lexicon?

Great. Homer Simpson's of the world unite. The idea of naming bugs is interesting I suppose, at least from an etymological standpoint, but completely misses the point. With all our "big box branded consultants" from Cisco, IBM, ISS et all, whose accolytes view the world through a heavily product-focused lense, all they can do is trouble-shoot specific problems. Today, there is a dearth of hard-core network geeks who can sort through ports, protocols and sniffer data and figure out what the hell is going on. This simple skill can easily identify rouge activity, viruses, bots and all sorts of threats...without spending bazillions of dollars on Brand X's new all-in-one appliance. But then again, it's always the simple stuff that topples the giants. So, shhhhhhhhh. Don't let the dullards know what's going on.

[PzkwVIb]

Don't you mean rogue activity?

I doubt rouge figures in to the discussion.

[Schratboy]

Bug lexicon?

Great. Homer Simpson's of the world unite. The idea of naming bugs is interesting I suppose, at least from an etymological standpoint, but completely misses the point. With all our "big box branded consultants" from Cisco, IBM, ISS et all, whose accolytes view the world through a heavily product-focused lense, all they can do is trouble-shoot specific problems. Today, there is a dearth of hard-core network geeks who can sort through ports, protocols and sniffer data and figure out what the hell is going on. This simple skill can easily identify rouge activity, viruses, bots and all sorts of threats...without spending bazillions of dollars on Brand X's new all-in-one appliance. But then again, it's always the simple stuff that topples the giants. So, shhhhhhhhh. Don't let the dullards know what's going on.

[PzkwVIb]

Don't you mean rogue activity?

I doubt rouge figures in to the discussion.

[medicultau]

my website is in romanian language:
http://www.medicultau.com/boli-si-tratamente/homeopatie/index.php

and i'm wonder if some pages like this one:
http://www.medicultau.com/notiuni-de-chirurgie-laparoscopica/tehnici-de-baza-in-chirurgia-laparoscopica/index.php
can be automattically translate in other languages.

And if yes with what script?

Many thanks.
Medicultau

[medicultau]

my website is in romanian language:
<a href="http://www.medicultau.com/boli-si-tratamente/homeopatie/index.php ">http://www.medicultau.com/boli-si-tratamente/homeopatie/index.php</a>

and i'm wonder if some pages like this one:
<a href="http://www.medicultau.com/notiuni-de-chirurgie-laparoscopica/tehnici-de-baza-in-chirurgia-laparoscopica/index.php ">chirurgie-laparoscopica</a>
can be automattically translate in other languages.

And if yes with what script?

Many thanks.
Medicultau