Dictionary for software bugs to cut confusion?

Mitre initiative, backed by Homeland Security, is designed to replace many variations in use today with standard flaw terms.
Written by Joris Evers, Contributor
ARLINGTON, Va.--A U.S. Department of Homeland Security-sponsored plan designed to create a standard dictionary for security bugs is taking shape, its backers said Thursday.

The effort, called Common Weakness Enumeration, aims to create a formal list of software weaknesses such as buffer overflows and format string errors. The list is to serve as a common language for describing software vulnerabilities, replacing the varied terms that many technology companies and security vendors use today.

"Without a common, high-fidelity description of these weaknesses, efforts to address vulnerabilities will be piecemeal at best."
--Steve Christey,
engineer, Mitre

"Without a common, high-fidelity description of these weaknesses, efforts to address vulnerabilities will be piecemeal at best, only solving part of the problem," Steve Christey, a principal information security engineer at Mitre, said in a presentation at the Black Hat DC Briefings & Training event here. Mitre, a nonprofit organization, oversees the CWE initiative.

Through the dictionary, Mitre hopes to provide a common standard for identifying, mitigating and preventing software bugs. The CWE can also function as a security measuring stick for people buying software, in particular security tools that aim to prevent or detect specific security problems, according to Mitre.

"This does give buyers one more tool for communicating with vendors what their expectations are," Christey said. Also, CWE can help software developers better understand what to avoid when building applications, he said.

To underscore the necessity of CWE, Christey said coverage of early definitions by source code-checking tools is very slim.

"Half of (the definitions in) CWE were not covered by any tool at all, and 29 percent was covered by a single tool," he said. These are tools such as those sold by Fortify Software, Coverity and Klocwork that vet computer code for bugs.

Some of the source code security companies, such as Cigital, have already committed to using CWE, according to Mitre. Others will likely follow, Christey said.

"We hope that CWE will show up in products," he said.

Mitre has been working on CWE for the past year and a half. People working on the project are pulling together data from multiple sources, including security tool makers, and unifying it. This is proving to be an arduous task. One list alone already contains 300 bug categories.

"We are currently at draft 5. We have (everything but the) kitchen sink today, but in a good way," said Sean Barnum, a managing consultant at Cigital who has been helping Mitre.

The dictionary's fifth draft was published December 15. The sixth draft is expected to have merged data regarding weaknesses from 16 tool and knowledge sources participating in the CWE initiative.

CWE is nearly ready for widespread use, Christey said. A final draft is slated to be released in the coming months.

Editorial standards