A US Department of Homeland Security-sponsored plan designed to create a standard dictionary for security bugs is taking shape, its backers said on Thursday.
The effort, called Common Weakness Enumeration, aims to create a formal list of software weaknesses such as buffer overflows and format string errors. The list is to serve as a common language for describing software vulnerabilities, replacing the varied terms that many technology companies and security vendors use today.
"Without a common, high-fidelity description of these weaknesses, efforts to address vulnerabilities will be piecemeal at best, only solving part of the problem," Steve Christey, a principal information security engineer at Mitre, said in a presentation at the Black Hat DC Briefings & Training event in Arlington, Virginia. Mitre, a nonprofit organisation, oversees the CWE initiative.
Through the dictionary, Mitre hopes to provide a common standard for identifying, mitigating and preventing software bugs. The CWE can also function as a security measuring stick for people buying software, in particular security tools that aim to prevent or detect specific security problems, according to Mitre.
"This does give buyers one more tool for communicating with vendors what their expectations are," Christey said. Also, CWE can help software developers better understand what to avoid when building applications, he said.
To underscore the necessity of CWE, Christey said coverage of early definitions by source code-checking tools is very slim.
"Half of (the definitions in) CWE were not covered by any tool at all, and 29 percent was covered by a single tool," he said. These are tools such as those sold by Fortify Software, Coverity and Klocwork that vet computer code for bugs.
Some of the source code security companies, such as Cigital, have already committed to using CWE, according to Mitre. Others will likely follow, Christey said.
"We hope that CWE will show up in products," he said.
Mitre has been working on CWE for the past year and a half. People working on the project are pulling together data from multiple sources, including security tool makers, and unifying it. This is proving to be an arduous task. One list alone already contains 300 bug categories.
"We are currently at draft 5. We have (everything but the) kitchen sink today, but in a good way," said Sean Barnum, a managing consultant at Cigital who has been helping Mitre.
The dictionary's fifth draft was published on 15 December. The sixth draft is expected to have merged data regarding weaknesses from 16 tool and knowledge sources participating in the CWE initiative.
CWE is nearly ready for widespread use, Christey said. A final draft is to be released in the coming months.
