But that situation is about to change, according to speakers at the Black Hat conference here today. In fact, draft guidelines for specifying common security weaknesses and common attack patterns could be just weeks away.
The proposed specifications would offer common methods for describing and categorizing weaknesses and attack vectors, much as Common Vulnerability Enumeration (CVE) and Common Malware Enumeration (CME) have done for vulnerabilities and malware.
The CWE is in its fifth draft and is already delivering some benefits for software developers, according to Robert Martin, principal engineer at Mitre. It represents a "dictionary" of frequently made mistakes in software development that can lead to exploitable vulnerabilities, he said.
"It's a common body of knowledge about software assurance that will help developers to build security into their applications," Martin said. The initiative, funded largely by the U.S. Department of Homeland Security (DHS), represents some 600 entries from more than 20 vendors of tools that help to identify security weaknesses in software.
The link for this article located at Dark Reading is no longer available.