So CWE is:
CWE™ is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
They have software flaws, and hardware flaws. They are agnostic to the tech (e.g. web, database, smart contracts, whatever), it's about cataloging the class/type/information around common types of vulnerabilities.
For example there's entire blocks of cryptographic related vulnerabilities:
CWE CATEGORY: Cryptographic Issues and
CWE-327: Use of a Broken or Risky Cryptographic Algorithm to name two.
------------------------------
Kurt Seifried
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
[email protected]------------------------------
Original Message:
Sent: Jul 22, 2020 08:01:10 AM
From: Carlos Dominguez
Subject: New CWE board and future work on classifying vulnerabilities
As per the scope of this group:
- Will the CWE eventually include enumeration for smart contract platform implementations? Every blockchain platform provides some form of computation that could be susceptible to design and implementation weaknesses potentially impacting quality of consensus.
- Another area of concern are "home made" cryptographic methods as some blockchain vendor/developers seem be creating their own functions (i.e IOTA ternary hash).
------------------------------
Carlos Dominguez CISSP, CISA, SABSA SCF
Original Message:
Sent: Jul 21, 2020 10:09:14 AM
From: Kurt Seifried
Subject: New CWE board and future work on classifying vulnerabilities
So from the news (July 20, 2020): "New CWE/CAPEC Board Includes Representatives from IT and Cybersecurity Communities" (https://cwe.mitre.org/news/index.html)
CWE has established a new CWE/CAPEC Board comprised of representatives from commercial hardware and software vendors, academia, government departments and agencies, and other prominent security experts that will help set and promote the goals and objectives of the Common Weakness Enumeration (CWE™)/Common Attack Pattern Enumeration and Classification (CAPEC™) Program.
Members of the CWE/CAPEC Board will work with each other and the community to advise and advocate for the CWE/CAPEC Program. Through open and collaborative discussions, board members will provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. All Board Meetings and Board Email List Discussions will be archived for the community.
I'm on the board so that gives us a pretty clear pathway to talking with them.
So what do you, the community want to see? I'm hoping for:
- Added transparency in how CWEs are created so we know where they are progress-wise
- A better CWE creation pipeline (we currently have 100+ things that could probably be turned into CWEs)
- Better coordination between CWE and related communities (us, OWASP, etc.)
------------------------------
Kurt Seifried
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
[email protected]
------------------------------